Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi

Overview

General Information

Sample name:SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi
Analysis ID:1493599
MD5:acd50da7436621368061abc2ca6193fe
SHA1:7c7a9109e7e576ca2975305867937f3575e8d749
SHA256:2ba7c24b984423bda7b4982b3b6e230a6c0f2dae44b580c6f02d133e625fd3bb
Tags:msi
Infos:

Detection

AteraAgent
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AteraAgent
AI detected suspicious sample
Creates files in the system32 config directory
Installs Task Scheduler Managed Wrapper
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Sample is not signed and drops a device driver
Yara detected Generic Downloader
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Is looking for software installed on the system
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Remote Thread Creation By Uncommon Source Image
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses net.exe to stop services
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 6096 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 3260 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 2784 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 181D1394CAAEB830AC973720F30550E5 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 2136 cmdline: rundll32.exe "C:\Windows\Installer\MSI2299.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7152421 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 5780 cmdline: rundll32.exe "C:\Windows\Installer\MSI2828.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7153750 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 2268 cmdline: rundll32.exe "C:\Windows\Installer\MSI35E4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7157250 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 2832 cmdline: rundll32.exe "C:\Windows\Installer\MSI4EF0.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7163640 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 6772 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 39C8CCDE77C0A8431B675EA9C7DDE8CF E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • net.exe (PID: 6488 cmdline: "NET" STOP AteraAgent MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 6512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 4864 cmdline: C:\Windows\system32\net1 STOP AteraAgent MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • taskkill.exe (PID: 1592 cmdline: "TaskKill.exe" /f /im AteraAgent.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 3248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AteraAgent.exe (PID: 5660 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="apae.leticiarozanski@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000LJyPNIA1" /AgentId="b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1" MD5: 477293F80461713D51A98A24023D45E8)
    • msiexec.exe (PID: 4160 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 22082F62A3568C9AEFDA4CD2E366C73D E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 3136 cmdline: rundll32.exe "C:\Windows\Installer\MSI1667.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7214812 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)
  • AteraAgent.exe (PID: 6636 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 3984 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 1864 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "8f7de333-83ca-4d02-94ef-1b8545d50f26" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LJyPNIA1 MD5: ACCE8B17DE63299AA4D5CB7D709BEEDC)
      • conhost.exe (PID: 1708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 5280 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "313c2f49-e11b-4184-83f8-24833206108a" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LJyPNIA1 MD5: ACCE8B17DE63299AA4D5CB7D709BEEDC)
      • conhost.exe (PID: 3320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 6920 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "f56981de-298d-4b18-9699-96fd97645b14" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000LJyPNIA1 MD5: ACCE8B17DE63299AA4D5CB7D709BEEDC)
      • conhost.exe (PID: 4608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 2120 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "6a977784-500a-4b6f-98da-3b8105c955fb" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000LJyPNIA1 MD5: ACCE8B17DE63299AA4D5CB7D709BEEDC)
      • conhost.exe (PID: 6720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 3212 cmdline: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cscript.exe (PID: 4920 cmdline: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
    • AgentPackageMonitoring.exe (PID: 1548 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "a383a7a9-5802-447a-aa75-24c8264d606b" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000LJyPNIA1 MD5: B50005A1A62AFA85240D1F65165856EB)
      • conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • AteraAgent.exe (PID: 5036 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 7120 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 4020 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "369c9bdf-f4d2-425d-a5d4-bce6b2c11f23" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000LJyPNIA1 MD5: ACCE8B17DE63299AA4D5CB7D709BEEDC)
      • conhost.exe (PID: 5000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 2632 cmdline: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 1216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cscript.exe (PID: 6628 cmdline: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
    • AgentPackageSTRemote.exe (PID: 2912 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "5f6f6507-8a14-439a-936b-7c9abb12dc95" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000LJyPNIA1 MD5: 511A4FB73993DFA87C69BA28F15F37A8)
      • conhost.exe (PID: 6456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageUpgradeAgent.exe (PID: 6796 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "6f300cb5-dcd2-4a4e-a623-2be92e21fc41" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000LJyPNIA1 MD5: 6095B43FA565DA44E7A818CFB4BACBA2)
      • conhost.exe (PID: 6432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 4232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 4608 cmdline: "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart MD5: E5DA170027542E25EDE42FC54C929077)
    • AgentPackageTicketing.exe (PID: 5276 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "a5cfd08f-59bf-4f7d-aca9-3371418cc30f" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000LJyPNIA1 MD5: B0E08EBA67B6AAB9E4CD11E3CC0D9988)
      • conhost.exe (PID: 1776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageSystemTools.exe (PID: 4900 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "a742f8fb-c2f7-4e35-9df0-01c83d8be31e" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000LJyPNIA1 MD5: 26E9CCE4BD85A1FCACBF03A8C3F3DDCA)
      • conhost.exe (PID: 4176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageInternalPoller.exe (PID: 5336 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "752b1c43-f6f1-475b-a99d-893bafb3d192" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000LJyPNIA1 MD5: 01807774F043028EC29982A62FA75941)
      • conhost.exe (PID: 1056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • sppsvc.exe (PID: 2968 cmdline: C:\Windows\system32\sppsvc.exe MD5: 320823F03672CEB82CC3A169989ABD12)
  • svchost.exe (PID: 4324 cmdline: C:\Windows\System32\svchost.exe -k smphost MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • AgentPackageUpgradeAgent.exe (PID: 4048 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun MD5: 6095B43FA565DA44E7A818CFB4BACBA2)
    • conhost.exe (PID: 2584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Windows\Temp\~DFCA8BC26715A0D8E1.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
    C:\Windows\Temp\~DFC8140AAE6423030D.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
      C:\Windows\Installer\MSI1667.tmp-\AlphaControlAgentInstallation.dllJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
          C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            Click to see the 66 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            0000002E.00000002.2807052058.00000189B6BD0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
              0000001B.00000002.3008930987.000001F1DF8CE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                0000000E.00000002.2691250880.000002C2AE611000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                  00000025.00000002.2528115170.0000020DBC9F6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                    00000025.00000002.2509482920.0000020DA2FF2000.00000002.00000001.01000000.0000001C.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                      Click to see the 322 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      44.0.AgentPackageUpgradeAgent.exe.1f8bf4a0000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                        56.2.AgentPackageSystemTools.exe.1a3ae2b0000.1.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                          42.0.AgentPackageSTRemote.exe.210e9490000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                            51.0.AgentPackageTicketing.exe.1e995440000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                              27.2.AteraAgent.exe.1f1c70c3f40.1.raw.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                                Click to see the 12 entries

                                Sigma Signatures

                                Sigma detected: Remote Thread Creation By Uncommon Source Image
                                Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\msiexec.exe, SourceProcessId: 4608, StartAddress: A310A480, TargetImage: C:\Windows\System32\conhost.exe, TargetProcessId: 4608
                                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                Source: Process startedAuthor: Michael Haag: Data: Command: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3212, ParentProcessName: cmd.exe, ProcessCommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ProcessId: 4920, ProcessName: cscript.exe
                                Sigma detected: Net.exe Execution
                                Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 39C8CCDE77C0A8431B675EA9C7DDE8CF E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6772, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 6488, ProcessName: net.exe
                                Sigma detected: Stop Windows Service Via Net.EXE
                                Source: Process startedAuthor: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 39C8CCDE77C0A8431B675EA9C7DDE8CF E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6772, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 6488, ProcessName: net.exe
                                Sigma detected: Windows Processes Suspicious Parent Directory
                                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k smphost, CommandLine: C:\Windows\System32\svchost.exe -k smphost, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k smphost, ProcessId: 4324, ProcessName: svchost.exe

                                Suricata Signatures

                                No Suricata rule has matched

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Multi AV Scanner detection for dropped file
                                Source: 6d2167.rbf (copy)ReversingLabs: Detection: 13%
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeReversingLabs: Detection: 13%
                                Multi AV Scanner detection for submitted file
                                Source: SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msiReversingLabs: Detection: 18%
                                AI detected suspicious sample
                                Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.8% probability
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B604BC0 CryptAcquireContextW,GetLastError,CryptReleaseContext,CryptReleaseContext,CryptReleaseContext,37_2_00007FFD8B604BC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B604E20 CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptEncrypt,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,CryptDestroyHash,37_2_00007FFD8B604E20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B604DE0 CryptReleaseContext,37_2_00007FFD8B604DE0
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA NetworksJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgentJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.configJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\AteraSetupLog.txt
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\license.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\license.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\license.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\license.txtJump to behavior
                                Source: Binary string: C:\Windows\AgentPackageUpgradeAgent.pdbpdbent.pdbt source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.3032544207.000001F8D8709000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 00000025.00000002.2522722057.0000020DBB942000.00000002.00000001.01000000.0000001F.sdmp
                                Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.3032544207.000001F8D8709000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.DiagnosticSource/net45-Release/System.Diagnostics.DiagnosticSource.pdb source: System.Diagnostics.DiagnosticSource.dll0.27.dr
                                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.3032544207.000001F8D8709000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb l:l ,l_CorExeMainmscoree.dll source: AgentPackageTicketing.exe, 00000033.00000000.2747579281.000001E995442000.00000002.00000001.01000000.00000028.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000D.00000000.2226925972.000001E7E5D12000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: C:\projects\serilog-framework-logging\src\Serilog.Extensions.Logging\obj\Release\netstandard2.0\Serilog.Extensions.Logging.pdbSHA256 source: Serilog.Extensions.Logging.dll.27.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000015.00000002.2376619271.000001E1AE4A2000.00000002.00000001.01000000.00000018.sdmp, AgentPackageSystemTools.exe, 00000038.00000002.2806182437.000001A3AE2B2000.00000002.00000001.01000000.00000031.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb< source: AgentPackageAgentInformation.exe, 00000015.00000000.2354318537.000001E1AE042000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.14.dr
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.3032544207.000001F8D8709000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002C.00000000.2720639074.000001F8BF4A2000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 00000025.00000002.2527496737.0000020DBBD22000.00000002.00000001.01000000.00000023.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection\4.1.2.0\System.Reflection.pdb source: System.Reflection.dll.27.dr
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2524990348.0000020DBBB82000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbdeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.2970305949.00000043724F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2522066534.0000020DBB852000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdbSHA256G source: AgentPackageInternalPoller.exe, 0000003A.00000002.2863333534.0000022974172000.00000002.00000001.01000000.00000036.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb5` source: Atera.AgentPackages.CommonLib.dll0.27.dr
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net6.0-Release/System.Diagnostics.EventLog.pdbSHA256 source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdb source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C73E1000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.3032544207.000001F8D8709000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Xml.XPath.XDocument/netfx\System.Xml.XPath.XDocument.pdb source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdbSHA256 source: AgentPackageInternalPoller.exe, 0000003A.00000002.2867627799.00000229744D2000.00000002.00000001.01000000.00000038.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000004.00000003.2163906663.0000000004FE3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000453B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\21\obj\Microsoft.ApplicationInsights\Release\src\Microsoft.ApplicationInsights\net45\Microsoft.ApplicationInsights.pdb source: AgentPackageSystemTools.exe, 00000038.00000002.2810184843.000001A3C6B62000.00000002.00000001.01000000.00000032.sdmp
                                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.3032544207.000001F8D8709000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\serilog-framework-logging\src\Serilog.Extensions.Logging\obj\Release\netstandard2.0\Serilog.Extensions.Logging.pdb source: Serilog.Extensions.Logging.dll.27.dr
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000D.00000000.2226925972.000001E7E5D12000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: /_/src/Serilog/obj/Release/netstandard2.1/Serilog.pdbSHA256 source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C74F0000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.pdbt source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.2970305949.00000043724F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\533\obj\Microsoft.ApplicationInsights\Release\src\Microsoft.ApplicationInsights\net45\Microsoft.ApplicationInsights.pdb source: Microsoft.ApplicationInsights.dll.14.dr
                                Source: Binary string: mscorlib.pdbet{g source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.3032544207.000001F8D86B3000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageInternalPoller\AgentPackageInternalPoller\obj\Release\AgentPackageInternalPoller.pdb source: AgentPackageInternalPoller.exe, 0000003A.00000000.2797664631.0000022973022000.00000002.00000001.01000000.00000030.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000E.00000002.2730444738.000002C2C72A2000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: PC:\Windows\AgentPackageUpgradeAgent.pdbpTs source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.2970305949.00000043724F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000E.00000002.2730444738.000002C2C72A2000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2526812896.0000020DBBC62000.00000002.00000001.01000000.00000022.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: c:\svn\branches\features\iris00_v3_20150407_69486\win32\stxpsdrv\src\filters\color\objfre_win7_x86\i386\XDColMan.pdb source: XDColMan.dll.2.dr
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.DiagnosticSource/net45-Release/System.Diagnostics.DiagnosticSource.pdbSHA256 source: System.Diagnostics.DiagnosticSource.dll0.27.dr
                                Source: Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2524532025.0000020DBBB02000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 00000025.00000002.2524990348.0000020DBBB82000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net6.0-Release/System.Diagnostics.EventLog.pdb source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 00000015.00000000.2354318537.000001E1AE042000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.14.dr
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2522722057.0000020DBB942000.00000002.00000001.01000000.0000001F.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000004.00000003.2163906663.0000000004FE3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000453B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: symbols\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.2970305949.00000043724F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE470000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2376908557.000001E1AEAE2000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7612000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2761445310.000001FA73B60000.00000002.00000001.01000000.0000002A.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ComponentModel.EventBasedAsync\4.0.11.0\System.ComponentModel.EventBasedAsync.pdb source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7480000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdbSHA256~ source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C73E1000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: .pdbt source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.2970305949.00000043724F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE470000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2376908557.000001E1AEAE2000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7612000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2526812896.0000020DBBC62000.00000002.00000001.01000000.00000022.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2761445310.000001FA73B60000.00000002.00000001.01000000.0000002A.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.2984826925.000001F8BFE42000.00000002.00000001.01000000.00000039.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\TicketingPackageExtensions\obj\Release\TicketingPackageExtensions.pdbI source: AgentPackageTicketing.exe, 00000033.00000002.3451431497.000001E995C52000.00000002.00000001.01000000.0000003D.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates\obj\Release\AgentPackageOsUpdates.pdb source: AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF92E000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.2984826925.000001F8BFE42000.00000002.00000001.01000000.00000039.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdbr source: AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2465929079.0000020DA27B2000.00000002.00000001.01000000.0000001A.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2465929079.0000020DA27B2000.00000002.00000001.01000000.0000001A.sdmp
                                Source: Binary string: devcon.pdbhe source: devcon.exe6.2.dr
                                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Runtime.Serialization.Xml/netfx\System.Runtime.Serialization.Xml.pdb source: System.Runtime.Serialization.Xml.dll.27.dr
                                Source: Binary string: AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.2970305949.00000043724F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdb source: AgentPackageInternalPoller.exe, 0000003A.00000002.2867627799.00000229744D2000.00000002.00000001.01000000.00000038.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi, 6d2163.msi.2.dr, ateraAgentSetup64_1_8_7_2.msi.44.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb source: Atera.AgentPackages.CommonLib.dll0.27.dr
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000004.00000003.2163906663.0000000004FE3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000453B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Primitives/net6.0-Release/Microsoft.Extensions.Primitives.pdb source: Microsoft.Extensions.Primitives.dll.27.dr
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 00000025.00000002.2522066534.0000020DBB852000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: d:\svn\sr01\tim\dev\win32\stvideo\display\objfre_win7_x86\i386\stvideo.pdb source: stvideo.dll.2.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000015.00000002.2376619271.000001E1AE4A2000.00000002.00000001.01000000.00000018.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.Abstractions/netstandard2.0-Release/Microsoft.Extensions.Configuration.Abstractions.pdbSHA256^r? source: Microsoft.Extensions.Configuration.Abstractions.dll.27.dr
                                Source: Binary string: c:\winddk\6000\src\video\displays\mirror\mini\objfre_wlh_amd64\amd64\mv2.pdb source: mv2.sys1.2.dr
                                Source: Binary string: devcon.pdb source: devcon64.exe0.2.dr, devcon.exe6.2.dr
                                Source: Binary string: pC:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.2970305949.00000043724F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\533\obj\Microsoft.ApplicationInsights\Release\src\Microsoft.ApplicationInsights\net45\Microsoft.ApplicationInsights.pdbCW source: Microsoft.ApplicationInsights.dll.14.dr
                                Source: Binary string: d:\str\dev\win32\sthid\hidmapper\objfre_win7_x86\i386\hidkmdf.pdb source: hidkmdf.sys.2.dr
                                Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2545851624.00007FFD8B74A000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.dr
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.Abstractions/netstandard2.0-Release/Microsoft.Extensions.Configuration.Abstractions.pdb source: Microsoft.Extensions.Configuration.Abstractions.dll.27.dr
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.2273107455.000001E800002000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll0.2.dr
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.2970305949.00000043724F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: d:\str\dev\win32\sthid\hidmapper\objfre_win7_x86\i386\hidkmdf.pdbN source: hidkmdf.sys.2.dr
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000D.00000002.2273107455.000001E800002000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll0.2.dr
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Collections\4.0.11.0\System.Collections.pdb source: System.Collections.dll.27.dr
                                Source: Binary string: /_/src/Serilog/obj/Release/netstandard2.1/Serilog.pdb source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C74F0000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Primitives/net6.0-Release/Microsoft.Extensions.Primitives.pdbSHA256*J source: Microsoft.Extensions.Primitives.dll.27.dr
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2527496737.0000020DBBD22000.00000002.00000001.01000000.00000023.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\TicketingPackageExtensions\obj\Release\TicketingPackageExtensions.pdb source: AgentPackageTicketing.exe, 00000033.00000002.3451431497.000001E995C52000.00000002.00000001.01000000.0000003D.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi, 6d2163.msi.2.dr, ateraAgentSetup64_1_8_7_2.msi.44.dr
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection\4.1.2.0\System.Reflection.pdbH,b, T,_CorDllMainmscoree.dll source: System.Reflection.dll.27.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdb source: AgentPackageInternalPoller.exe, 0000003A.00000002.2863333534.0000022974172000.00000002.00000001.01000000.00000036.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection.Extensions\4.0.1.0\System.Reflection.Extensions.pdb source: System.Reflection.Extensions.dll.27.dr
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.3032544207.000001F8D8709000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Contracts\4.0.1.0\System.Diagnostics.Contracts.pdb source: System.Diagnostics.Contracts.dll.27.dr
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb source: AgentPackageTicketing.exe, 00000033.00000000.2747579281.000001E995442000.00000002.00000001.01000000.00000028.sdmp
                                Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                                Source: C:\Windows\System32\cscript.exeFile opened: c:
                                Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD34211FFFh13_2_00007FFD34211E7E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD34211FFFh13_2_00007FFD34211E88
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD34211FFFh13_2_00007FFD34211EB6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD34211873h13_2_00007FFD3421184E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD34211A44h13_2_00007FFD3421184E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD34211873h13_2_00007FFD34210C1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD34211A44h13_2_00007FFD34210C1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD34211FFFh13_2_00007FFD34210C1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD3421227Bh13_2_00007FFD34210C1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD3424B982h14_2_00007FFD3424B72E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD34234ECBh14_2_00007FFD34234EAF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD3424B982h14_2_00007FFD3424B92F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD34231A44h14_2_00007FFD34231A34
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD3423227Bh14_2_00007FFD3423225D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD34234ECBh27_2_00007FFD34234E6B
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD3423227Bh27_2_00007FFD3423225D

                                Networking

                                barindex
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.119.152.241 443
                                Yara detected Generic Downloader
                                Source: Yara matchFile source: 21.0.AgentPackageAgentInformation.exe.1e1ae040000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 51.2.AgentPackageTicketing.exe.1e995c50000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
                                Source: Joe Sandbox ViewIP Address: 40.119.152.241 40.119.152.241
                                Source: Joe Sandbox ViewIP Address: 35.157.63.228 35.157.63.228
                                Source: Joe Sandbox ViewIP Address: 192.229.221.95 192.229.221.95
                                Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
                                Source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.AVAILABILITY/0.16/AGENT.PACKAGE.AVAILABILITY.Z
                                Source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C74F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.WATCHDOG/1.5/AGENT.PACKAGE.WATCHDOG.ZIP
                                Source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEADREMOTE/6.0/AGENTPACKAGEADREMOTE.ZIP
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEAGENTINFORMATION/37.2/AGENTPACKAGEAGENTINFORMATI
                                Source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEHEARTBEAT/17.14/AGENTPACKAGEHEARTBEAT.ZIP
                                Source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEINTERNALPOLLER/23.8/AGENTPACKAGEINTERNALPOLLER.Z
                                Source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMARKETPLACE/1.4/AGENTPACKAGEMARKETPLACE.ZIP
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C723A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/36.9/AGENTPACKAGEMONITORING.ZIP
                                Source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEOSUPDATES/19.2/AGENTPACKAGEOSUPDATES.ZIP
                                Source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEPROGRAMMANAGEMENT/23.4/AGENTPACKAGEPROGRAMMANAGE
                                Source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLE
                                Source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESYSTEMTOOLS/26.8/AGENTPACKAGESYSTEMTOOLS.ZIP
                                Source: AgentPackageSTRemote.exe, 0000002A.00000002.3429292494.00000210801BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a6dc35606b2c6816e.awsglobalaccelerator.com
                                Source: AteraAgent.exe, 0000000E.00000002.2727878966.000002C2C6FA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acedicom.edicomgroup.com/doc0
                                Source: AteraAgent.exe, 0000000D.00000000.2226925972.000001E7E5D12000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE1F1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6BF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acontrol.atera.com/
                                Source: AgentPackageAgentInformation.exe, 00000028.00000002.2881181090.0000024B8446C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.3429292494.00000210800E7000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 0000003A.00000002.2837794159.0000022900128000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://agent-api.atera.com
                                Source: rundll32.exe, 00000005.00000002.2209595068.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE611000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE587000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE470000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6A1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE622000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2319039819.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2377140928.000001E1AED2F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2380207514.0000014E176BF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BE16000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BE55000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BEB0000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2509948593.0000020DA3703000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000028.00000002.2881181090.0000024B8446C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.3429292494.00000210800E7000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 0000003A.00000002.2837794159.0000022900128000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
                                Source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.2988910791.000001F8C00FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blob.ams08prdstr06a.store.core.windows.net
                                Source: AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF8FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.dig
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.2377783987.000001E1C735F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi, 6d2163.msi.2.dr, ateraAgentSetup64_1_8_7_2.msi.44.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE835000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6F1E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2716483231.000002C2C69C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE470000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6F6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF840000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF92E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7480000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C73E1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2870623611.000001F1C63D6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C74F0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF8F6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF8FD000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7612000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi, 6d2163.msi.2.dr, ateraAgentSetup64_1_8_7_2.msi.44.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                                Source: AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6ECB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrus
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE611000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE4A8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE587000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6ECB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6A1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE932000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C764C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C73E1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C723A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C70E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
                                Source: AteraAgent.exe, 0000000D.00000002.2270925191.000001E780449000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2272041127.000001E7E79E9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2272647183.000001E7FFDB0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE835000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6F1E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2716483231.000002C2C69C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6ECB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE470000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6EA3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6F6C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF8CE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF840000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7115000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF92E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7133000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C713F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7480000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C768E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C74E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2272647183.000001E7FFDB0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE835000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6ECB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE470000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6F6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF92E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF912000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7480000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C73E1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C74F0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7612000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.3429292494.000002108021B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.3429292494.0000021080216000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002C.00000002.2988910791.000001F8C0120000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002C.00000002.2988910791.000001F8C011C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                Source: AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6ECB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2716483231.000002C2C6A0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                                Source: AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6ECB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE835000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6F1E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2716483231.000002C2C69C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6ECB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE470000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6F6C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6E70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2377783987.000001E1C72C0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2381295696.0000014E2FF15000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2381295696.0000014E2FEBC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF8CE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF840000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF92E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7480000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C73E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                Source: AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6ECB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt4
                                Source: AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6ECB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crtp
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi, 6d2163.msi.2.dr, ateraAgentSetup64_1_8_7_2.msi.44.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
                                Source: AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6EC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com:80/DigiCertTrustedRootG4.crtU
                                Source: mv2.sys1.2.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
                                Source: mv2.sys1.2.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
                                Source: mv2.sys1.2.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0
                                Source: AteraAgent.exe, 0000000E.00000002.2727878966.000002C2C7068000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.postsignum.cz/crl/psrootqca4.crl02
                                Source: AteraAgent.exe, 0000000E.00000002.2727878966.000002C2C7068000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.postsignum.eu/crl/psrootqca4.crl0
                                Source: stvideo.dll.2.dr, hidkmdf.sys.2.dr, XDColMan.dll.2.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                                Source: AteraAgent.exe, 0000000E.00000002.2727878966.000002C2C7068000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl2.postsignum.cz/crl/psrootqca4.crl01
                                Source: AteraAgent.exe, 0000000D.00000002.2270925191.000001E780449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digi
                                Source: AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF8FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert-
                                Source: AteraAgent.exe, 0000000D.00000002.2272647183.000001E7FFE61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/
                                Source: AgentPackageSTRemote.exe, 0000002A.00000002.3429292494.000002108021B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.3429292494.0000021080216000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCert
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE835000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6F1E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2716483231.000002C2C69C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE470000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6F6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF840000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF92E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7480000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C73E1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2870623611.000001F1C63D6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C74F0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF8F6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF8FD000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7612000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi, 6d2163.msi.2.dr, ateraAgentSetup64_1_8_7_2.msi.44.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi, 6d2163.msi.2.dr, ateraAgentSetup64_1_8_7_2.msi.44.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                                Source: AteraAgent.exe, 0000000D.00000002.2270925191.000001E780449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA
                                Source: AteraAgent.exe, 0000000D.00000002.2272647183.000001E7FFE97000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2272647183.000001E7FFE61000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2272647183.000001E7FFDB0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6E7F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6ECB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6F3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AteraAgent.exe, 0000000D.00000002.2270925191.000001E780449000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2272041127.000001E7E79E9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2272647183.000001E7FFDB0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE611000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE4A8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE835000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6F1E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2716483231.000002C2C69C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE587000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6ECB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE470000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6A1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6EA3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE932000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6F6C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF8CE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF840000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7115000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF92E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7133000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                                Source: AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6ECB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crla7j
                                Source: AteraAgent.exe, 0000000E.00000002.2689025415.000002C2ADB74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlhttp://crl4.digicert.co
                                Source: AteraAgent.exe, 0000000D.00000002.2272647183.000001E7FFDB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl~
                                Source: AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF8FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampin
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2272647183.000001E7FFDB0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE835000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6ECB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE470000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6F6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF92E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF912000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7480000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C73E1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C74F0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7612000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.3429292494.000002108021B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.3429292494.0000021080216000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002C.00000002.2988910791.000001F8C0120000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002C.00000002.2988910791.000001F8C011C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                Source: AteraAgent.exe, 0000000E.00000002.2716483231.000002C2C6AAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
                                Source: System.Diagnostics.DiagnosticSource.dll0.27.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi, 6d2163.msi.2.dr, ateraAgentSetup64_1_8_7_2.msi.44.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
                                Source: AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6ECB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/O0D
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi, 6d2163.msi.2.dr, ateraAgentSetup64_1_8_7_2.msi.44.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                                Source: AteraAgent.exe, 0000000D.00000002.2272647183.000001E7FFE97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi, 6d2163.msi.2.dr, ateraAgentSetup64_1_8_7_2.msi.44.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                                Source: AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6ECB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTruU0
                                Source: AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6ECB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6A1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6F3A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE932000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C764C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C73E1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C723A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C70E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AteraAgent.exe, 0000000D.00000002.2270925191.000001E780449000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2272041127.000001E7E79E9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2272647183.000001E7FFDB0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE835000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6F1E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2716483231.000002C2C69C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6ECB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE470000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6EA3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6F6C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF8CE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF840000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7115000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF92E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7133000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C713F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7480000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C768E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C74E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                                Source: AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6F3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlm
                                Source: AteraAgent.exe, 0000000D.00000002.2272647183.000001E7FFE97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlrMw
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi, 6d2163.msi.2.dr, ateraAgentSetup64_1_8_7_2.msi.44.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi, 6d2163.msi.2.dr, ateraAgentSetup64_1_8_7_2.msi.44.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                                Source: AteraAgent.exe, 0000000D.00000002.2272647183.000001E7FFE61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/u
                                Source: AteraAgent.exe, 0000000D.00000002.2272647183.000001E7FFE97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlrlCache
                                Source: AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6F1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                                Source: AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                                Source: AgentPackageSTRemote.exe, 0000002A.00000002.3429292494.000002108021B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://d17kmd0va0f0mp.cloudfront.net
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C73CD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7480000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://d25btwd9wax8gu.cloudfront.net
                                Source: AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6F3A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000000.2354318537.000001E1AE042000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.14.drString found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
                                Source: AgentPackageSTRemote.exe, 0000002A.00000002.3429292494.000002108021B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://download.splashtop.com
                                Source: rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                                Source: AgentPackageSTRemote.exe, 0000002A.00000002.3429292494.00000210801BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://my.splashtop.com
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2524990348.0000020DBBB82000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: http://nlog-project.org/dummynamespace/
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2524990348.0000020DBBB82000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: http://nlog-project.org/ws/
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2524990348.0000020DBBB82000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: http://nlog-project.org/ws/3
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2524990348.0000020DBBB82000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: http://nlog-project.org/ws/5
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2524990348.0000020DBBB82000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverOneWayServer/ProcessLogMessages
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2524990348.0000020DBBB82000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponsep
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2524990348.0000020DBBB82000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2524990348.0000020DBBB82000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: http://nlog-project.org/ws/T
                                Source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digice
                                Source: AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6ECB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.cS0X
                                Source: AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6ECB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2716483231.000002C2C6A0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com
                                Source: AteraAgent.exe, 0000000D.00000002.2272647183.000001E7FFE1B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2272647183.000001E7FFE32000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2272647183.000001E7FFDB0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6E7F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2716483231.000002C2C6A0D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
                                Source: AteraAgent.exe, 0000000D.00000002.2272647183.000001E7FFDB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxL
                                Source: AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
                                Source: AteraAgent.exe, 0000000D.00000002.2270925191.000001E780449000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2272041127.000001E7E79E9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2272647183.000001E7FFDB0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE611000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE4A8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE835000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6F1E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2716483231.000002C2C69C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE587000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6ECB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE470000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6A1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6EA3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE932000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6F6C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF8CE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF840000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7115000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF92E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7133000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE835000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6F1E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2716483231.000002C2C69C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6ECB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE470000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6F6C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6E70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2377783987.000001E1C735F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2377783987.000001E1C72C0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2381295696.0000014E2FF15000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2381295696.0000014E2FEBC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF8CE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF840000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF92E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7480000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE835000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6F1E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2716483231.000002C2C69C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE470000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6F6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF840000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF92E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7480000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C73E1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2870623611.000001F1C63D6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C74F0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF8F6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF8FD000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7612000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi, 6d2163.msi.2.dr, ateraAgentSetup64_1_8_7_2.msi.44.drString found in binary or memory: http://ocsp.digicert.com0K
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi, 6d2163.msi.2.dr, ateraAgentSetup64_1_8_7_2.msi.44.drString found in binary or memory: http://ocsp.digicert.com0N
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi, 6d2163.msi.2.dr, ateraAgentSetup64_1_8_7_2.msi.44.drString found in binary or memory: http://ocsp.digicert.com0O
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2272647183.000001E7FFDB0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE835000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6ECB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE470000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6F6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF92E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF912000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7480000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C73E1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C74F0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF8FD000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7612000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.3429292494.000002108021B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.3429292494.0000021080216000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002C.00000002.2988910791.000001F8C0120000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                                Source: AteraAgent.exe, 0000000E.00000002.2727878966.000002C2C6FA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.
                                Source: AteraAgent.exe, 0000000E.00000002.2716483231.000002C2C6A0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRS
                                Source: AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6E7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                                Source: AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6E7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedRootG4.crtBU.
                                Source: AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6E7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedRootG4.crtoT
                                Source: AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6E7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedRootG4.crtxT
                                Source: AteraAgent.exe, 0000000E.00000002.2716483231.000002C2C6A0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1B
                                Source: AteraAgent.exe, 0000000E.00000002.2716483231.000002C2C6A0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com2B
                                Source: AteraAgent.exe, 0000000E.00000002.2716483231.000002C2C6A0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com8B
                                Source: AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6ECB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comH
                                Source: AteraAgent.exe, 0000000D.00000002.2272647183.000001E7FFE1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crlZ
                                Source: AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6E7F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2716483231.000002C2C6A0D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2987448632.000001F1DF47E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
                                Source: AteraAgent.exe, 0000000D.00000002.2272647183.000001E7FFE1B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2716483231.000002C2C6A0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
                                Source: AteraAgent.exe, 0000001B.00000002.2987448632.000001F1DF47E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crlR
                                Source: AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.suscerte.gob.ve0
                                Source: stvideo.dll.2.dr, hidkmdf.sys.2.dr, XDColMan.dll.2.drString found in binary or memory: http://ocsp.thawte.com0
                                Source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.2988910791.000001F8C00FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://packagesstore.blob.core.windows.net
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C73CD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7480000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C73E1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.atera.com
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE611000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6AE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE587000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.pndsn.com
                                Source: AteraAgent.exe, 0000000E.00000002.2727878966.000002C2C6FA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
                                Source: stvideo.dll.2.dr, XDColMan.dll.2.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                                Source: stvideo.dll.2.dr, XDColMan.dll.2.drString found in binary or memory: http://s2.symcb.com0
                                Source: AteraAgent.exe, 0000000D.00000002.2272041127.000001E7E79E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
                                Source: AteraAgent.exe, 0000000D.00000002.2272041127.000001E7E79E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                                Source: AteraAgent.exe, 0000000D.00000002.2272041127.000001E7E79E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2524990348.0000020DBBB82000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                                Source: rundll32.exe, 00000005.00000002.2209595068.0000000004B11000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2209595068.0000000004BB4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE1F1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2319039819.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2319039819.0000000004F44000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2377140928.000001E1AEC83000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2380207514.0000014E1764F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6BF1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BC61000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BE84000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2509948593.0000020DA327D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000028.00000002.2881181090.0000024B840B6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.3429292494.0000021080078000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002C.00000002.2988910791.000001F8BFFC1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000033.00000002.3452803258.000001E995C81000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 0000003A.00000002.2837794159.0000022900022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                Source: XDColMan.dll.2.drString found in binary or memory: http://sv.symcb.com/sv.crl0a
                                Source: stvideo.dll.2.drString found in binary or memory: http://sv.symcb.com/sv.crl0f
                                Source: stvideo.dll.2.dr, XDColMan.dll.2.drString found in binary or memory: http://sv.symcb.com/sv.crt0
                                Source: stvideo.dll.2.dr, XDColMan.dll.2.drString found in binary or memory: http://sv.symcd.com0&
                                Source: stvideo.dll.2.dr, hidkmdf.sys.2.dr, XDColMan.dll.2.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                                Source: stvideo.dll.2.dr, hidkmdf.sys.2.dr, XDColMan.dll.2.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                                Source: stvideo.dll.2.dr, hidkmdf.sys.2.dr, XDColMan.dll.2.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi, 6d2163.msi.2.dr, ateraAgentSetup64_1_8_7_2.msi.44.drString found in binary or memory: http://wixtoolset.org
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000004FE3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000453B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000BFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000004FE3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000453B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000BFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/news/
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000004FE3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000453B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000BFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/releases/
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2522397227.0000020DBB8F2000.00000002.00000001.01000000.0000001E.sdmpString found in binary or memory: http://www.abit.com.tw/
                                Source: AteraAgent.exe, 0000000E.00000002.2716483231.000002C2C6A0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-std0
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE611000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE4A8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE587000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6A1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE932000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C764C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C73E1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C723A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C70E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2270925191.000001E780449000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2272041127.000001E7E79E9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2272647183.000001E7FFDB0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE835000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6F1E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2716483231.000002C2C69C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6ECB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE470000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6EA3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6F6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF8CE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF840000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7115000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF92E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7133000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C713F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                                Source: AteraAgent.exe, 0000000E.00000002.2727878966.000002C2C6FA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dnie.es/dpc0
                                Source: AteraAgent.exe, 0000000E.00000002.2716483231.000002C2C6A0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
                                Source: AteraAgent.exe, 0000000E.00000002.2727878966.000002C2C7056000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ecee.gov.pt/dpc0
                                Source: AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/dpc0
                                Source: AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/lcr0#
                                Source: stvideo.dll.2.dr, XDColMan.dll.2.drString found in binary or memory: http://www.symauth.com/cps0(
                                Source: stvideo.dll.2.dr, XDColMan.dll.2.drString found in binary or memory: http://www.symauth.com/rpa00
                                Source: AteraAgent.exe, 0000000D.00000002.2272041127.000001E7E79E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                                Source: AteraAgent.exe, 0000000D.00000002.2272041127.000001E7E79E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.oh
                                Source: AgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BED6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BE84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.P
                                Source: rundll32.exe, 00000005.00000002.2209595068.0000000004BB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.aterD
                                Source: rundll32.exe, 00000011.00000002.2319039819.0000000004F44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.aterDR
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000004FE3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2209595068.0000000004B11000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2209595068.0000000004BB4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000453B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE611000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE1F1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE587000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE470000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6A1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2319039819.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2319039819.0000000004F44000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2377140928.000001E1AEC83000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2380207514.0000014E1764F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6BF1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BE16000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BE55000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BC61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000004FE3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2209595068.0000000004B11000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2209595068.0000000004BB4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000453B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2319039819.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2319039819.0000000004F44000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000BFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/
                                Source: AgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BED6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Prhx
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.2377140928.000001E1AEC83000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2380207514.0000014E1764F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BE16000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BE55000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000028.00000002.2881181090.0000024B840B6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.3429292494.0000021080078000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000004FE3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2209595068.0000000004B11000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2209595068.0000000004BB4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000453B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE611000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE587000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6A1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2319039819.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2319039819.0000000004F44000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000BFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommands
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE470000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.2377140928.000001E1AEC83000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2380207514.0000014E1764F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
                                Source: AgentPackageTicketing.exe, 00000033.00000002.3452803258.000001E995C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResultRecurring/AgentPackageTicketingInstallHelp
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE274000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE1F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetEnvironmentStatus
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE1F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
                                Source: AgentPackageSTRemote.exe, 0000002A.00000002.3429292494.0000021080078000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRemoteToolStatusWithAccount
                                Source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/Trace
                                Source: AgentPackageInternalPoller.exe, 0000003A.00000002.2837794159.0000022900022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/agentMonitoredDevices/b6d7854f-41ac-4cbe-bd3f-d1c32ac48
                                Source: AgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BE84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/
                                Source: AgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BC61000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BE84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/script-based
                                Source: AgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BED6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/guiComm
                                Source: AgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BED6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BCF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/guiCommandResult
                                Source: AgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BE16000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BE55000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000028.00000002.2881181090.0000024B840B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/recurringCommandResult
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2509948593.0000020DA327D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/thresholds/b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1
                                Source: rundll32.exe, 00000005.00000002.2209595068.0000000004B11000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2209595068.0000000004BB4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2319039819.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2319039819.0000000004F44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event
                                Source: rundll32.exe, 00000005.00000002.2209595068.0000000004BF6000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2319039819.0000000004F86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event;
                                Source: AgentPackageSystemTools.exe, 00000038.00000002.2810184843.000001A3C6B62000.00000002.00000001.01000000.00000032.sdmpString found in binary or memory: https://agent.azureserviceprofiler.net/
                                Source: AgentPackageSystemTools.exe, 00000038.00000002.2810184843.000001A3C6B62000.00000002.00000001.01000000.00000032.sdmpString found in binary or memory: https://agent.azureserviceprofiler.net/p
                                Source: AgentPackageTicketing.exe, 00000033.00000002.3452803258.000001E995CFF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000033.00000002.3451431497.000001E995C52000.00000002.00000001.01000000.0000003D.sdmpString found in binary or memory: https://api.nuget.org/v3-flatcontainer/eo.webbrowser/24.1.46/eo.webbrowser.24.1.46.nupkg
                                Source: AgentPackageTicketing.exe, 00000033.00000002.3452803258.000001E995CFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.nuget.orgP
                                Source: stvideo.dll.2.dr, XDColMan.dll.2.drString found in binary or memory: https://d.symcb.com/cps0%
                                Source: stvideo.dll.2.dr, XDColMan.dll.2.drString found in binary or memory: https://d.symcb.com/rpa0
                                Source: AgentPackageSystemTools.exe, 00000038.00000002.2810184843.000001A3C6B62000.00000002.00000001.01000000.00000032.sdmpString found in binary or memory: https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Nhttps://agent.azureservi
                                Source: AgentPackageSystemTools.exe, 00000038.00000002.2810184843.000001A3C6B62000.00000002.00000001.01000000.00000032.sdmp, Microsoft.ApplicationInsights.dll.14.drString found in binary or memory: https://dc.services.visualstudio.com/api/profiles/
                                Source: AgentPackageSystemTools.exe, 00000038.00000002.2810184843.000001A3C6B62000.00000002.00000001.01000000.00000032.sdmpString found in binary or memory: https://dc.services.visualstudio.com/f
                                Source: Microsoft.ApplicationInsights.dll.14.drString found in binary or memory: https://dc.services.visualstudio.com/v2/trackOStartRunnerEvent
                                Source: Microsoft.ApplicationInsights.dll.14.drString found in binary or memory: https://dc.services.visualstudio.com/v2/trackvhttps://dc.services.visualstudio.com/api/profiles/
                                Source: AgentPackageSTRemote.exe, 0000002A.00000002.3429292494.000002108021B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.splashtop.com
                                Source: AgentPackageSTRemote.exe, 0000002A.00000002.3429292494.0000021080106000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.3429292494.000002108021B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.3429292494.00000210800E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.splashtop.com/csrs/Splashtop_Streamer_Win_DEPLOY_INSTALLER_v3.7.0.1.exe
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE470000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2376908557.000001E1AEAE2000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7612000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2526812896.0000020DBBC62000.00000002.00000001.01000000.00000022.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2761445310.000001FA73B60000.00000002.00000001.01000000.0000002A.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
                                Source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
                                Source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
                                Source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C73E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958
                                Source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C73E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39588
                                Source: Microsoft.Extensions.Primitives.dll.27.drString found in binary or memory: https://github.com/dotnet/runtime
                                Source: Microsoft.Extensions.Configuration.Abstractions.dll.27.drString found in binary or memory: https://github.com/dotnet/runtimeR
                                Source: AteraAgent.exe, 0000000E.00000002.2730444738.000002C2C72A2000.00000002.00000001.01000000.00000027.sdmpString found in binary or memory: https://github.com/icsharpcode/SharpZipLib
                                Source: AgentPackageInternalPoller.exe, 0000003A.00000002.2867627799.00000229744D2000.00000002.00000001.01000000.00000038.sdmpString found in binary or memory: https://github.com/lextudio/sharpsnmplib.git
                                Source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C74F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/serilog/serilog/pull/819.
                                Source: AgentPackageSTRemote.exe, 0000002A.00000002.3429292494.0000021080130000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://my.splashtop.com
                                Source: AgentPackageSTRemote.exe, 0000002A.00000000.2718158766.00000210E9492000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: https://my.splashtop.com/csrs/win
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2526694956.0000020DBBC58000.00000002.00000001.01000000.00000021.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2524990348.0000020DBBB82000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: https://nlog-project.org/
                                Source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.2988910791.000001F8C00F4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002C.00000002.2988910791.000001F8BFFC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net
                                Source: AgentPackageUpgradeAgent.exe, 0000002C.00000000.2720639074.000001F8BF4A2000.00000002.00000001.01000000.00000026.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Agents/Mac/
                                Source: AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2465929079.0000020DA27B2000.00000002.00000001.01000000.0000001A.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/BitDefender/rmm.zip
                                Source: AgentPackageUpgradeAgent.exe, 0000002C.00000000.2720639074.000001F8BF4A2000.00000002.00000001.01000000.00000026.sdmp, AgentPackageUpgradeAgent.exe, 0000002C.00000002.2988910791.000001F8BFFC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric
                                Source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.2988910791.000001F8BFFC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric/MSI/1.8.7.2/Setupx64.msi
                                Source: AgentPackageUpgradeAgent.exe, 0000002C.00000000.2720639074.000001F8BF4A2000.00000002.00000001.01000000.00000026.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric/MacAgent/1.0/AteraAgentInstaller.pkgA/
                                Source: AgentPackageUpgradeAgent.exe, 0000002C.00000000.2720639074.000001F8BF4A2000.00000002.00000001.01000000.00000026.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric5Get
                                Source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C74F0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateH
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE382000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C73CD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C74F0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C723A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6DDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/a
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/ag
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE546000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageA
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE546000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAg
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE660000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAge
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE660000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAgen
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE5D0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAgentIn
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6B6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.39/AgentPackageMonitoring.z
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE26C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE26C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE26C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE5D0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/37.2/AgentPackageAgentInformation
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/36.9/AgentPackageMonitoring.ziph
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE26C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscovery
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE26C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE26C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE26C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE292000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6CD7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE26C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C74F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Wat
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE26C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE292000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6CD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C74F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip?qTzK5d
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6CD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
                                Source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip?qTzK5ds0WX
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE5D0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE382000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2E4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6CD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/37.2/AgentPackageAgentInformati
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6CD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip
                                Source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip?qTzK5d
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6CD7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.z
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6CD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.4/AgentPackageMarketplace.zip
                                Source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.4/AgentPackageMarketplace.zip?qTzK
                                Source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C723A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMoni
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6CD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C723A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip?qTzK5
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.ziph
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE26C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6CD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/19.2/AgentPackageOsUpdates.zip
                                Source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/19.2/AgentPackageOsUpdates.zip?qTzK5ds
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6CD7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/23.4/AgentPackageProgramManage
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE26C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6CD7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6CD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/22.0/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/22.0/AgentPackageSTRemote.zip?qTzK5ds0W
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6CD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/26.8/AgentPackageSystemTools.zip
                                Source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/26.8/AgentPackageSystemTools.zip?qTz
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE26C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6CD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/27.9/AgentPackageTicketing.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6CD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/26.8/AgentPackageUpgradeAgent.zip
                                Source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/26.8/AgentPackageUpgradeAgent.zip?q
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE26C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE26C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE26C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE5D0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE26C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE26C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskScheduler/13.1/AgentPackageTaskScheduler.zip
                                Source: AgentPackageTicketing.exe, 00000033.00000002.3451431497.000001E995C52000.00000002.00000001.01000000.0000003D.sdmpString found in binary or memory: https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkg
                                Source: AgentPackageTicketing.exe, 00000033.00000002.3452803258.000001E995CFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkgX
                                Source: AgentPackageSTRemote.exe, 0000002A.00000002.3429292494.0000021080130000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000000.2718158766.00000210E9492000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exe
                                Source: AgentPackageSTRemote.exe, 0000002A.00000000.2718158766.00000210E9492000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exepUsers/Shared/Splashtop
                                Source: AgentPackageTicketing.exe, 00000033.00000002.3451431497.000001E995C52000.00000002.00000001.01000000.0000003D.sdmpString found in binary or memory: https://ps.atera.com/translations/TicketingTray.json
                                Source: AgentPackageTicketing.exe, 00000033.00000002.3451431497.000001E995C52000.00000002.00000001.01000000.0000003D.sdmpString found in binary or memory: https://ps.atera.com/translations/TicketingTray.json?9translation
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE611000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6AE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6B6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE587000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE59A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE622000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE611000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6AE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6B6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE587000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE59A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE622000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2A1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE587000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0da8f560-37ca-40d8-b393-a4cf7874f743
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2cec6a15-c4db-4b9e-98d6-0c46f8fde135
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=338b493c-8884-4a60-9494-ddd5a039e2df
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE611000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=5c82dcdf-d5d5-425f-bee0-67c44fef6f3f
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7b72fdb2-5d79-4ed6-a424-b987ddb98d4d
                                Source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=8d578304-aa0b-447e-a1ba-1575ff7024e4
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c496ece2-e20a-4cf9-ba56-08036f242808
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=d84c6fc9-769e-4b10-aba3-e96f8af7077d
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscrib
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE622000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2A1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6CD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/b6d7854f-41ac-4cbe-bd3f
                                Source: AgentPackageSystemTools.exe, 00000038.00000002.2810184843.000001A3C6B62000.00000002.00000001.01000000.00000032.sdmpString found in binary or memory: https://rt.services.visualstudio.com/p
                                Source: AgentPackageTicketing.exe, 00000033.00000002.3451431497.000001E995C52000.00000002.00000001.01000000.0000003D.sdmpString found in binary or memory: https://setup-app-resolver.atera.com
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2527496737.0000020DBBD22000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: https://system.data.sqlite.org/
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2527845052.0000020DBBD84000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: https://system.data.sqlite.org/X
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2527496737.0000020DBBD22000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: https://urn.to/r/sds_see
                                Source: AgentPackageTicketing.exe, 00000033.00000002.3451431497.000001E995C52000.00000002.00000001.01000000.0000003D.sdmp, AgentPackageSystemTools.exe, 00000038.00000002.2806671115.000001A3AE4A1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSystemTools.exe, 00000038.00000000.2789734652.000001A3ADAC2000.00000002.00000001.01000000.0000002D.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.com/;LiveEndpoint=https://westeurope.livediagnosti
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi, 6d2163.msi.2.dr, ateraAgentSetup64_1_8_7_2.msi.44.drString found in binary or memory: https://www.digicert.com/CPS0
                                Source: AteraAgent.exe, 0000000E.00000002.2727878966.000002C2C7068000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.net/docs
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
                                Source: rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2526694956.0000020DBBC58000.00000002.00000001.01000000.00000021.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2524990348.0000020DBBB82000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore
                                Source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE470000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2376908557.000001E1AEAE2000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7612000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2526812896.0000020DBBC62000.00000002.00000001.01000000.00000022.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2761445310.000001FA73B60000.00000002.00000001.01000000.0000002A.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                                Source: AgentPackageMonitoring.exeString found in binary or memory: https://www.sqlite.org/copyright.html
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2546374200.00007FFD8B794000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.drString found in binary or memory: https://www.sqlite.org/copyright.html2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to dropped file

                                Spam, unwanted Advertisements and Ransom Demands

                                barindex
                                Reads the Security eventlog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Reads the System eventlog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6d2160.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2299.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2828.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI35E4.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI37F9.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3809.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3887.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3973.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6d2162.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6d2162.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4EF0.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6d2163.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1667.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1C83.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2703.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3099.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI30B9.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI31D4.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3242.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4A4F.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4A60.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4ACE.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4B4C.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6d216f.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6d216f.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5020.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6d2170.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA8EF.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA92F.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{B7C5EA94-B96A-41F5-BE95-25D78B486678}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA9FB.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB640.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB8B2.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6d2173.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6d2173.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE07F.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE514.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF486.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF717.tmpJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2299.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2299.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2299.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2299.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2299.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2299.tmp-\CustomAction.configJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2828.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2828.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2828.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2828.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2828.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2828.tmp-\CustomAction.configJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI35E4.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI35E4.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI35E4.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI35E4.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI35E4.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI35E4.tmp-\CustomAction.configJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1A374813EDB1A6631387E414D3E73232
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1A374813EDB1A6631387E414D3E73232
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\329B6147266C1E26CD774EA22B79EC2E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\329B6147266C1E26CD774EA22B79EC2E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI4EF0.tmp-
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI4EF0.tmp-\AlphaControlAgentInstallation.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI4EF0.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI4EF0.tmp-\Newtonsoft.Json.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI4EF0.tmp-\System.Management.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI4EF0.tmp-\CustomAction.config
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1667.tmp-
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1667.tmp-\AlphaControlAgentInstallation.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1667.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1667.tmp-\Newtonsoft.Json.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1667.tmp-\System.Management.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1667.tmp-\CustomAction.config
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSystemTools.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log
                                Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI2299.tmpJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_06E776785_3_06E77678
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_06E700405_3_06E70040
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_047950B86_3_047950B8
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_047959A86_3_047959A8
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_04794D686_3_04794D68
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD3421C92213_2_00007FFD3421C922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD3421B67913_2_00007FFD3421B679
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD3421A09413_2_00007FFD3421A094
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD3421986D13_2_00007FFD3421986D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD3421BB7613_2_00007FFD3421BB76
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD3421B37513_2_00007FFD3421B375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD3430000013_2_00007FFD34300000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD34210C1D13_2_00007FFD34210C1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FFD34230D4214_2_00007FFD34230D42
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FFD3423A7D314_2_00007FFD3423A7D3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FFD3424901314_2_00007FFD34249013
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FFD342433F814_2_00007FFD342433F8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FFD34241CF014_2_00007FFD34241CF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FFD34239AF214_2_00007FFD34239AF2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FFD3444079D14_2_00007FFD3444079D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FFD344419F514_2_00007FFD344419F5
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FFD3445549D14_2_00007FFD3445549D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FFD34454EF214_2_00007FFD34454EF2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FFD344427CE14_2_00007FFD344427CE
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FFD3444486614_2_00007FFD34444866
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04E8004017_3_04E80040
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04E871D017_3_04E871D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD3422860221_2_00007FFD34228602
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD3422785621_2_00007FFD34227856
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD3422194421_2_00007FFD34221944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD3422E12021_2_00007FFD3422E120
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD342403FD21_2_00007FFD342403FD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD3422DD6021_2_00007FFD3422DD60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD3422DD9D21_2_00007FFD3422DD9D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD3422B75A21_2_00007FFD3422B75A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD3423103021_2_00007FFD34231030
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD3423412821_2_00007FFD34234128
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD342211CF21_2_00007FFD342211CF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD342299A021_2_00007FFD342299A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD342211FA21_2_00007FFD342211FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FFD3425860223_2_00007FFD34258602
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FFD3425B6B923_2_00007FFD3425B6B9
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FFD3425785623_2_00007FFD34257856
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FFD34261AF323_2_00007FFD34261AF3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FFD3425BCA823_2_00007FFD3425BCA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FFD3425DD6023_2_00007FFD3425DD60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FFD3425B75A23_2_00007FFD3425B75A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FFD3426103023_2_00007FFD34261030
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FFD3425683023_2_00007FFD34256830
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FFD342568D023_2_00007FFD342568D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FFD3426412823_2_00007FFD34264128
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FFD342511CF23_2_00007FFD342511CF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FFD342599A023_2_00007FFD342599A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FFD342511FA23_2_00007FFD342511FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FFD3425122023_2_00007FFD34251220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FFD342682A323_2_00007FFD342682A3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FFD3422194425_2_00007FFD34221944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FFD342211CF25_2_00007FFD342211CF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FFD342211FA25_2_00007FFD342211FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 27_2_00007FFD34230D4227_2_00007FFD34230D42
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 27_2_00007FFD34241D8B27_2_00007FFD34241D8B
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 27_2_00007FFD34239EDF27_2_00007FFD34239EDF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 27_2_00007FFD342456F227_2_00007FFD342456F2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 27_2_00007FFD34243FBD27_2_00007FFD34243FBD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 27_2_00007FFD3423608527_2_00007FFD34236085
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 27_2_00007FFD344464F827_2_00007FFD344464F8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 27_2_00007FFD34442BB527_2_00007FFD34442BB5
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 27_2_00007FFD3444F4FA27_2_00007FFD3444F4FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 27_2_00007FFD3444B19427_2_00007FFD3444B194
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 27_2_00007FFD3444F58027_2_00007FFD3444F580
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 27_2_00007FFD34445A2627_2_00007FFD34445A26
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 27_2_00007FFD3444F5FA27_2_00007FFD3444F5FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 27_2_00007FFD3444CB5827_2_00007FFD3444CB58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 30_2_00007FFD342564C030_2_00007FFD342564C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 30_2_00007FFD3424254530_2_00007FFD34242545
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 30_2_00007FFD3423963230_2_00007FFD34239632
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 30_2_00007FFD342312C030_2_00007FFD342312C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 30_2_00007FFD3423C36F30_2_00007FFD3423C36F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 30_2_00007FFD3423CCF930_2_00007FFD3423CCF9
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 30_2_00007FFD3424BE4130_2_00007FFD3424BE41
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 30_2_00007FFD34254F7D30_2_00007FFD34254F7D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 30_2_00007FFD3425800530_2_00007FFD34258005
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 30_2_00007FFD34245FF230_2_00007FFD34245FF2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 30_2_00007FFD3423888630_2_00007FFD34238886
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 30_2_00007FFD3423194430_2_00007FFD34231944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 30_2_00007FFD3425C9D830_2_00007FFD3425C9D8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 30_2_00007FFD3424DA2C30_2_00007FFD3424DA2C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 30_2_00007FFD34233AF330_2_00007FFD34233AF3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 30_2_00007FFD3425158530_2_00007FFD34251585
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 30_2_00007FFD3424F57530_2_00007FFD3424F575
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 30_2_00007FFD3423073030_2_00007FFD34230730
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 30_2_00007FFD342341A230_2_00007FFD342341A2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 30_2_00007FFD342311FA30_2_00007FFD342311FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 30_2_00007FFD3423122030_2_00007FFD34231220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 30_2_00007FFD3424A36D30_2_00007FFD3424A36D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 30_2_00007FFD34254C7830_2_00007FFD34254C78
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 30_2_00007FFD34260DED30_2_00007FFD34260DED
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 30_2_00007FFD342459D130_2_00007FFD342459D1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 30_2_00007FFD3425C9F830_2_00007FFD3425C9F8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B72696037_2_00007FFD8B726960
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B7301E037_2_00007FFD8B7301E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B7220E037_2_00007FFD8B7220E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B67B88037_2_00007FFD8B67B880
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B648B9037_2_00007FFD8B648B90
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B69CC0037_2_00007FFD8B69CC00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B616A8037_2_00007FFD8B616A80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B6BAA7037_2_00007FFD8B6BAA70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B638A6037_2_00007FFD8B638A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B66CB5037_2_00007FFD8B66CB50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B6DAB0037_2_00007FFD8B6DAB00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B64E99037_2_00007FFD8B64E990
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B5F8A3C37_2_00007FFD8B5F8A3C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B5F28C037_2_00007FFD8B5F28C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B6488A037_2_00007FFD8B6488A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B60886037_2_00007FFD8B608860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B6B686037_2_00007FFD8B6B6860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B6E691037_2_00007FFD8B6E6910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B68EFD037_2_00007FFD8B68EFD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B63AFB037_2_00007FFD8B63AFB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B602F8C37_2_00007FFD8B602F8C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B63902037_2_00007FFD8B639020
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B5FCEA837_2_00007FFD8B5FCEA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B61CE7037_2_00007FFD8B61CE70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B5F4DB437_2_00007FFD8B5F4DB4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B72CD6037_2_00007FFD8B72CD60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B650E3037_2_00007FFD8B650E30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B63ACD037_2_00007FFD8B63ACD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B606CC037_2_00007FFD8B606CC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B740D3037_2_00007FFD8B740D30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B724C8037_2_00007FFD8B724C80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B676D2037_2_00007FFD8B676D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B6B8D2037_2_00007FFD8B6B8D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B664D0037_2_00007FFD8B664D00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B6922B037_2_00007FFD8B6922B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B61033037_2_00007FFD8B610330
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B61231037_2_00007FFD8B612310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B6B831037_2_00007FFD8B6B8310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B69A2F037_2_00007FFD8B69A2F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B66224037_2_00007FFD8B662240
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B6AC22037_2_00007FFD8B6AC220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B68A0C037_2_00007FFD8B68A0C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B6940A037_2_00007FFD8B6940A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B67C11037_2_00007FFD8B67C110
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B5FE80C37_2_00007FFD8B5FE80C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B68A7E037_2_00007FFD8B68A7E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B72C68037_2_00007FFD8B72C680
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B60E72037_2_00007FFD8B60E720
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B60273837_2_00007FFD8B602738
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B6AA5D037_2_00007FFD8B6AA5D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B5F85D437_2_00007FFD8B5F85D4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B6AE59037_2_00007FFD8B6AE590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B6D659037_2_00007FFD8B6D6590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B72E5B037_2_00007FFD8B72E5B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B67060037_2_00007FFD8B670600
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B7105D037_2_00007FFD8B7105D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B6044DC37_2_00007FFD8B6044DC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B6564A037_2_00007FFD8B6564A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B67455037_2_00007FFD8B674550
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B5FA52437_2_00007FFD8B5FA524
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B64051037_2_00007FFD8B640510
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B639BA037_2_00007FFD8B639BA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B733C2037_2_00007FFD8B733C20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B6DDB8037_2_00007FFD8B6DDB80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B61BBE037_2_00007FFD8B61BBE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B625AD037_2_00007FFD8B625AD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B629A6037_2_00007FFD8B629A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B6A7A6037_2_00007FFD8B6A7A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B657B3037_2_00007FFD8B657B30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B693AF037_2_00007FFD8B693AF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B65B9F037_2_00007FFD8B65B9F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B6518DA37_2_00007FFD8B6518DA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B61D91037_2_00007FFD8B61D910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B68FED037_2_00007FFD8B68FED0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B5F7EC037_2_00007FFD8B5F7EC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B673EB037_2_00007FFD8B673EB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B6A5EA037_2_00007FFD8B6A5EA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B697EA037_2_00007FFD8B697EA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B637E7037_2_00007FFD8B637E70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B629F3037_2_00007FFD8B629F30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B685F2037_2_00007FFD8B685F20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B607F3037_2_00007FFD8B607F30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B64FEF037_2_00007FFD8B64FEF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B605E5037_2_00007FFD8B605E50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B623E1037_2_00007FFD8B623E10
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B6DBCD037_2_00007FFD8B6DBCD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B6CDCC037_2_00007FFD8B6CDCC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B6C7D2037_2_00007FFD8B6C7D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B639CF037_2_00007FFD8B639CF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B6193D037_2_00007FFD8B6193D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B68B37037_2_00007FFD8B68B370
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B6CF3E037_2_00007FFD8B6CF3E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B5FD28437_2_00007FFD8B5FD284
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B68D35037_2_00007FFD8B68D350
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B5FF34037_2_00007FFD8B5FF340
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B65F1B037_2_00007FFD8B65F1B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B5F11B037_2_00007FFD8B5F11B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B68917037_2_00007FFD8B689170
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B66F22037_2_00007FFD8B66F220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B70320037_2_00007FFD8B703200
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B7250F037_2_00007FFD8B7250F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B64F78037_2_00007FFD8B64F780
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B74184037_2_00007FFD8B741840
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B63D77037_2_00007FFD8B63D770
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B60D83037_2_00007FFD8B60D830
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B73F79037_2_00007FFD8B73F790
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B6E56D037_2_00007FFD8B6E56D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B69169037_2_00007FFD8B691690
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B69772037_2_00007FFD8B697720
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B6636E037_2_00007FFD8B6636E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B60564037_2_00007FFD8B605640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B65B64737_2_00007FFD8B65B647
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B63F63037_2_00007FFD8B63F630
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B5FD63437_2_00007FFD8B5FD634
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B5F74B037_2_00007FFD8B5F74B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B5F347437_2_00007FFD8B5F3474
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B5F955C37_2_00007FFD8B5F955C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD3425F73D37_2_00007FFD3425F73D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD34260FAA37_2_00007FFD34260FAA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD342594FA37_2_00007FFD342594FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD342591D337_2_00007FFD342591D3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD3425B1D337_2_00007FFD3425B1D3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD3425C2F337_2_00007FFD3425C2F3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD3425CC7B37_2_00007FFD3425CC7B
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD3425BD5137_2_00007FFD3425BD51
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD3425B03037_2_00007FFD3425B030
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD3425603937_2_00007FFD34256039
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD3425B8F537_2_00007FFD3425B8F5
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD34252BFB37_2_00007FFD34252BFB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD3447056C37_2_00007FFD3447056C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD34473D6737_2_00007FFD34473D67
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD3447F64837_2_00007FFD3447F648
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD34472AEB37_2_00007FFD34472AEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD3447255837_2_00007FFD34472558
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD3447ACF837_2_00007FFD3447ACF8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD3447EFA837_2_00007FFD3447EFA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD3447604437_2_00007FFD34476044
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD344731C637_2_00007FFD344731C6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD3447240837_2_00007FFD34472408
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD345834B137_2_00007FFD345834B1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD3458455737_2_00007FFD34584557
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD34581DCF37_2_00007FFD34581DCF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD3457403D37_2_00007FFD3457403D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD3458103737_2_00007FFD34581037
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD3458595437_2_00007FFD34585954
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD345858E737_2_00007FFD345858E7
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD3457B1F237_2_00007FFD3457B1F2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD34580B8837_2_00007FFD34580B88
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD3458644D37_2_00007FFD3458644D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD3457ACFA37_2_00007FFD3457ACFA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD345725E237_2_00007FFD345725E2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD3457A5F237_2_00007FFD3457A5F2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD345846A737_2_00007FFD345846A7
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD3458106937_2_00007FFD34581069
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD3457A8FC37_2_00007FFD3457A8FC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD3457A3C837_2_00007FFD3457A3C8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD3464946337_2_00007FFD34649463
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD34644EA837_2_00007FFD34644EA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD3464A1BB37_2_00007FFD3464A1BB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD34657E6837_2_00007FFD34657E68
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD3465714337_2_00007FFD34657143
                                Source: Joe Sandbox ViewDropped File: 6d2167.rbf (copy) A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFD8B7406B0 appears 145 times
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFD8B741B70 appears 102 times
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFD8B741D30 appears 114 times
                                Source: SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msiBinary or memory string: OriginalFilenameAlphaControlAgentInstallation.dll\ vs SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi
                                Source: SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msiBinary or memory string: OriginalFilenameSfxCA.dll\ vs SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi
                                Source: SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msiBinary or memory string: OriginalFilenamewixca.dll\ vs SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi
                                Source: ICSharpCode.SharpZipLib.dll.2.dr, InflaterInputBuffer.csCryptographic APIs: 'TransformBlock'
                                Source: ICSharpCode.SharpZipLib.dll.2.dr, DeflaterOutputStream.csCryptographic APIs: 'TransformBlock'
                                Source: ICSharpCode.SharpZipLib.dll.2.dr, ZipAESTransform.csCryptographic APIs: 'TransformBlock'
                                Source: AteraAgent.exe.2.dr, SignatureValidator.csBase64 encoded string: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YmxeR/2wifvwd/MQXb/5tsLsvlMs50tmraklX8MKsU1EgEpRZ+W0Ro1ZHoLhQG53oq9hPz9bmJge78yZr6l1QJWz6wCj+yQUxM5f0gt4fHEf2yA94Tklnds7JPr2vQRb5rjAnxnt7722oWFc1bxFFsIcIhOI/EHYCE0qSPE1pKMXALkHZYoDQEFUu3YgEc0Oo7ClJNFrB75g6tVZRqGKxVvYQBb9zKDxhBRnDkhZuB7D1gRaR9PNwCr7tVtPt40c+CCf5ktUkeu4JzaiEipWvKYgRvotqsFtZF5uFso2UmdvxO+lIw9i/GPDfgS4JhKu/Y9lCuaan+xEluhSK0vpQIDAQAB'
                                Source: classification engineClassification label: mal100.troj.spyw.evad.winMSI@99/776@0/9
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA NetworksJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.logJump to behavior
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1708:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6768:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6456:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3320:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4088:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6512:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3248:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6720:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\GenericDevicesFileLock
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7104:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6432:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: NULL
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4608:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4176:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5000:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2584:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1216:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\SNMPDevicesFileLock
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1776:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\HttpDevicesFileLock
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1056:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\ServerDevicesFileLock
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFDA9F148306AEE887.TMPJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;AteraAgent.exe&quot;)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                                Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2299.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7152421 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2465929079.0000020DA27B2000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: SELECT Identifier, Severity, Timestamp FROM ThresholdDuration WHERE Identifier = @id;kDELETE FROM ThresholdDuration WHERE Identifier = @id;
                                Source: AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2465929079.0000020DA27B2000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: INSERT INTO [AlertsSent] (Timestamp, Alerts) VALUES (@timestamp, @alerts);kExecuteScriptAsync SystemTools Start scriptGuid : {0}Wrunscriptguid {0} 10 W10= disableSendResultC{0} {1} {2} {3} or8ixLi90Mf "{4}"
                                Source: AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2465929079.0000020DA27B2000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: INSERT INTO ThresholdDuration (Identifier,Severity,Timestamp) Values (@identifier, @severity, @timestamp) ON CONFLICT (Identifier) DO UPDATE SET Severity = excluded.Severity, Timestamp = excluded.Timestamp;
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2509948593.0000020DA327D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);
                                Source: AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2509948593.0000020DA327D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2465929079.0000020DA27B2000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS StatisticsSendTime (Id INTEGER PRIMARY KEY,Timestamp BIGINT NOT NULL);
                                Source: AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2465929079.0000020DA27B2000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: INSERT INTO Statistics(Name, Timestamp, Value) Values (@name, @timestamp, @value);%StatisticsSendTime
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2509948593.0000020DA327D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);@
                                Source: AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2509948593.0000020DA327D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2465929079.0000020DA27B2000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000025.00000002.2545851624.00007FFD8B74A000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2509948593.0000020DA327D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);@
                                Source: AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2509948593.0000020DA327D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2465929079.0000020DA27B2000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Stub (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2509948593.0000020DA327D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2509948593.0000020DA327D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);@
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2509948593.0000020DA327D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2545851624.00007FFD8B74A000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000025.00000002.2545851624.00007FFD8B74A000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                                Source: AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2465929079.0000020DA27B2000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: SELECT Timestamp FROM StatisticsSendTime ORDER BY Timestamp DESC LIMIT 1;
                                Source: AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2465929079.0000020DA27B2000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);sSELECT MAX([Timestamp]) AS [TimeStamp] FROM [AlertsSent];
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000025.00000002.2545851624.00007FFD8B74A000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000025.00000002.2545851624.00007FFD8B74A000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2509948593.0000020DA327D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);@
                                Source: AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2465929079.0000020DA27B2000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: SELECT [Id], [Alerts], [Timestamp] FROM [AlertsSent] ORDER BY [Timestamp] DESC LIMIT 1;
                                Source: AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2465929079.0000020DA27B2000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);/DELETE FROM Statistics;eSELECT Id, Name, Timestamp, Value FROM Statistics;
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2509948593.0000020DA327D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000025.00000002.2545851624.00007FFD8B74A000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                                Source: AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2509948593.0000020DA327D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2465929079.0000020DA27B2000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2509948593.0000020DA327D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2509948593.0000020DA327D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2509948593.0000020DA3733000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2509948593.0000020DA3733000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;@
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000025.00000002.2545851624.00007FFD8B74A000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                                Source: AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2465929079.0000020DA27B2000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: select Name from Win32_PerfFormattedData_Tcpip_NetworkInterface!DataStatsEnabled9InboundBandwidthStatsEnabled;OutboundBandwidthStatsEnabled
                                Source: AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2465929079.0000020DA27B2000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: SELECT Id, IsActive, Timestamp, Name, Thresholds FROM ThresholdsProfiles ORDER BY Timestamp DESC LIMIT 1;
                                Source: SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 57.88%
                                Source: SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msiReversingLabs: Detection: 18%
                                Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi"
                                Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 181D1394CAAEB830AC973720F30550E5
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2299.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7152421 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2828.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7153750 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI35E4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7157250 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 39C8CCDE77C0A8431B675EA9C7DDE8CF E Global\MSI0000
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                                Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="apae.leticiarozanski@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000LJyPNIA1" /AgentId="b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1"
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI4EF0.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7163640 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "8f7de333-83ca-4d02-94ef-1b8545d50f26" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "313c2f49-e11b-4184-83f8-24833206108a" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "f56981de-298d-4b18-9699-96fd97645b14" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "6a977784-500a-4b6f-98da-3b8105c955fb" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: unknownProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "a383a7a9-5802-447a-aa75-24c8264d606b" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k smphost
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "369c9bdf-f4d2-425d-a5d4-bce6b2c11f23" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "5f6f6507-8a14-439a-936b-7c9abb12dc95" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "6f300cb5-dcd2-4a4e-a623-2be92e21fc41" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "a5cfd08f-59bf-4f7d-aca9-3371418cc30f" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 22082F62A3568C9AEFDA4CD2E366C73D E Global\MSI0000
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI1667.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7214812 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "a742f8fb-c2f7-4e35-9df0-01c83d8be31e" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "752b1c43-f6f1-475b-a99d-893bafb3d192" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 181D1394CAAEB830AC973720F30550E5Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 39C8CCDE77C0A8431B675EA9C7DDE8CF E Global\MSI0000Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="apae.leticiarozanski@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000LJyPNIA1" /AgentId="b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1"Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 22082F62A3568C9AEFDA4CD2E366C73D E Global\MSI0000Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2299.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7152421 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentIdJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2828.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7153750 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStartJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI35E4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7157250 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallationJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI4EF0.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7163640 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEndJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "8f7de333-83ca-4d02-94ef-1b8545d50f26" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "313c2f49-e11b-4184-83f8-24833206108a" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "f56981de-298d-4b18-9699-96fd97645b14" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "6a977784-500a-4b6f-98da-3b8105c955fb" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "a383a7a9-5802-447a-aa75-24c8264d606b" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "369c9bdf-f4d2-425d-a5d4-bce6b2c11f23" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "5f6f6507-8a14-439a-936b-7c9abb12dc95" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "6f300cb5-dcd2-4a4e-a623-2be92e21fc41" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "a5cfd08f-59bf-4f7d-aca9-3371418cc30f" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "a742f8fb-c2f7-4e35-9df0-01c83d8be31e" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "752b1c43-f6f1-475b-a99d-893bafb3d192" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI1667.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7214812 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: uxtheme.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: riched20.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: usp10.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msls31.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wscapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wtsapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winsta.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: devobj.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: napinsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: pnrpnsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wshbth.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: nlaapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winrnr.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: version.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: sxs.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: vbscript.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: amsi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: msasn1.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptsp.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: rsaenh.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: msisip.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wshext.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: scrobj.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: gpapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptnet.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: iphlpapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: winnsi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: mpr.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: scrrun.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: gpapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: smphost.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: mispace.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: sxshared.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wmiclnt.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wevtapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: virtdisk.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: resutils.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: clusapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wmidcom.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wmitomi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: fastprox.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: cscapi.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile written: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdsmpl.iniJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA NetworksJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgentJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.configJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                                Source: SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msiStatic file information: File size 2994176 > 1048576
                                Source: Binary string: C:\Windows\AgentPackageUpgradeAgent.pdbpdbent.pdbt source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.3032544207.000001F8D8709000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 00000025.00000002.2522722057.0000020DBB942000.00000002.00000001.01000000.0000001F.sdmp
                                Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.3032544207.000001F8D8709000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.DiagnosticSource/net45-Release/System.Diagnostics.DiagnosticSource.pdb source: System.Diagnostics.DiagnosticSource.dll0.27.dr
                                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.3032544207.000001F8D8709000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb l:l ,l_CorExeMainmscoree.dll source: AgentPackageTicketing.exe, 00000033.00000000.2747579281.000001E995442000.00000002.00000001.01000000.00000028.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000D.00000000.2226925972.000001E7E5D12000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: C:\projects\serilog-framework-logging\src\Serilog.Extensions.Logging\obj\Release\netstandard2.0\Serilog.Extensions.Logging.pdbSHA256 source: Serilog.Extensions.Logging.dll.27.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000015.00000002.2376619271.000001E1AE4A2000.00000002.00000001.01000000.00000018.sdmp, AgentPackageSystemTools.exe, 00000038.00000002.2806182437.000001A3AE2B2000.00000002.00000001.01000000.00000031.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb< source: AgentPackageAgentInformation.exe, 00000015.00000000.2354318537.000001E1AE042000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.14.dr
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.3032544207.000001F8D8709000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002C.00000000.2720639074.000001F8BF4A2000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 00000025.00000002.2527496737.0000020DBBD22000.00000002.00000001.01000000.00000023.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection\4.1.2.0\System.Reflection.pdb source: System.Reflection.dll.27.dr
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2524990348.0000020DBBB82000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbdeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.2970305949.00000043724F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2522066534.0000020DBB852000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdbSHA256G source: AgentPackageInternalPoller.exe, 0000003A.00000002.2863333534.0000022974172000.00000002.00000001.01000000.00000036.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb5` source: Atera.AgentPackages.CommonLib.dll0.27.dr
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net6.0-Release/System.Diagnostics.EventLog.pdbSHA256 source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdb source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C73E1000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.3032544207.000001F8D8709000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Xml.XPath.XDocument/netfx\System.Xml.XPath.XDocument.pdb source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdbSHA256 source: AgentPackageInternalPoller.exe, 0000003A.00000002.2867627799.00000229744D2000.00000002.00000001.01000000.00000038.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000004.00000003.2163906663.0000000004FE3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000453B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\21\obj\Microsoft.ApplicationInsights\Release\src\Microsoft.ApplicationInsights\net45\Microsoft.ApplicationInsights.pdb source: AgentPackageSystemTools.exe, 00000038.00000002.2810184843.000001A3C6B62000.00000002.00000001.01000000.00000032.sdmp
                                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.3032544207.000001F8D8709000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\serilog-framework-logging\src\Serilog.Extensions.Logging\obj\Release\netstandard2.0\Serilog.Extensions.Logging.pdb source: Serilog.Extensions.Logging.dll.27.dr
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000D.00000000.2226925972.000001E7E5D12000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: /_/src/Serilog/obj/Release/netstandard2.1/Serilog.pdbSHA256 source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C74F0000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.pdbt source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.2970305949.00000043724F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\533\obj\Microsoft.ApplicationInsights\Release\src\Microsoft.ApplicationInsights\net45\Microsoft.ApplicationInsights.pdb source: Microsoft.ApplicationInsights.dll.14.dr
                                Source: Binary string: mscorlib.pdbet{g source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.3032544207.000001F8D86B3000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageInternalPoller\AgentPackageInternalPoller\obj\Release\AgentPackageInternalPoller.pdb source: AgentPackageInternalPoller.exe, 0000003A.00000000.2797664631.0000022973022000.00000002.00000001.01000000.00000030.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000E.00000002.2730444738.000002C2C72A2000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: PC:\Windows\AgentPackageUpgradeAgent.pdbpTs source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.2970305949.00000043724F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000E.00000002.2730444738.000002C2C72A2000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2526812896.0000020DBBC62000.00000002.00000001.01000000.00000022.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: c:\svn\branches\features\iris00_v3_20150407_69486\win32\stxpsdrv\src\filters\color\objfre_win7_x86\i386\XDColMan.pdb source: XDColMan.dll.2.dr
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.DiagnosticSource/net45-Release/System.Diagnostics.DiagnosticSource.pdbSHA256 source: System.Diagnostics.DiagnosticSource.dll0.27.dr
                                Source: Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2524532025.0000020DBBB02000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 00000025.00000002.2524990348.0000020DBBB82000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net6.0-Release/System.Diagnostics.EventLog.pdb source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 00000015.00000000.2354318537.000001E1AE042000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.14.dr
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2522722057.0000020DBB942000.00000002.00000001.01000000.0000001F.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000004.00000003.2163906663.0000000004FE3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000453B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: symbols\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.2970305949.00000043724F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE470000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2376908557.000001E1AEAE2000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7612000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2761445310.000001FA73B60000.00000002.00000001.01000000.0000002A.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ComponentModel.EventBasedAsync\4.0.11.0\System.ComponentModel.EventBasedAsync.pdb source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7480000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdbSHA256~ source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C73E1000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: .pdbt source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.2970305949.00000043724F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE470000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2376908557.000001E1AEAE2000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7612000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2526812896.0000020DBBC62000.00000002.00000001.01000000.00000022.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2761445310.000001FA73B60000.00000002.00000001.01000000.0000002A.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.2984826925.000001F8BFE42000.00000002.00000001.01000000.00000039.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\TicketingPackageExtensions\obj\Release\TicketingPackageExtensions.pdbI source: AgentPackageTicketing.exe, 00000033.00000002.3451431497.000001E995C52000.00000002.00000001.01000000.0000003D.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates\obj\Release\AgentPackageOsUpdates.pdb source: AteraAgent.exe, 0000001B.00000002.3008930987.000001F1DF92E000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.2984826925.000001F8BFE42000.00000002.00000001.01000000.00000039.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdbr source: AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2465929079.0000020DA27B2000.00000002.00000001.01000000.0000001A.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2465929079.0000020DA27B2000.00000002.00000001.01000000.0000001A.sdmp
                                Source: Binary string: devcon.pdbhe source: devcon.exe6.2.dr
                                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Runtime.Serialization.Xml/netfx\System.Runtime.Serialization.Xml.pdb source: System.Runtime.Serialization.Xml.dll.27.dr
                                Source: Binary string: AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.2970305949.00000043724F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdb source: AgentPackageInternalPoller.exe, 0000003A.00000002.2867627799.00000229744D2000.00000002.00000001.01000000.00000038.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi, 6d2163.msi.2.dr, ateraAgentSetup64_1_8_7_2.msi.44.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb source: Atera.AgentPackages.CommonLib.dll0.27.dr
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000004.00000003.2163906663.0000000004FE3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000453B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Primitives/net6.0-Release/Microsoft.Extensions.Primitives.pdb source: Microsoft.Extensions.Primitives.dll.27.dr
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 00000025.00000002.2522066534.0000020DBB852000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: d:\svn\sr01\tim\dev\win32\stvideo\display\objfre_win7_x86\i386\stvideo.pdb source: stvideo.dll.2.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000015.00000002.2376619271.000001E1AE4A2000.00000002.00000001.01000000.00000018.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.Abstractions/netstandard2.0-Release/Microsoft.Extensions.Configuration.Abstractions.pdbSHA256^r? source: Microsoft.Extensions.Configuration.Abstractions.dll.27.dr
                                Source: Binary string: c:\winddk\6000\src\video\displays\mirror\mini\objfre_wlh_amd64\amd64\mv2.pdb source: mv2.sys1.2.dr
                                Source: Binary string: devcon.pdb source: devcon64.exe0.2.dr, devcon.exe6.2.dr
                                Source: Binary string: pC:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.2970305949.00000043724F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\533\obj\Microsoft.ApplicationInsights\Release\src\Microsoft.ApplicationInsights\net45\Microsoft.ApplicationInsights.pdbCW source: Microsoft.ApplicationInsights.dll.14.dr
                                Source: Binary string: d:\str\dev\win32\sthid\hidmapper\objfre_win7_x86\i386\hidkmdf.pdb source: hidkmdf.sys.2.dr
                                Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2545851624.00007FFD8B74A000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.dr
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.Abstractions/netstandard2.0-Release/Microsoft.Extensions.Configuration.Abstractions.pdb source: Microsoft.Extensions.Configuration.Abstractions.dll.27.dr
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.2273107455.000001E800002000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll0.2.dr
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.2970305949.00000043724F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: d:\str\dev\win32\sthid\hidmapper\objfre_win7_x86\i386\hidkmdf.pdbN source: hidkmdf.sys.2.dr
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000D.00000002.2273107455.000001E800002000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll0.2.dr
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Collections\4.0.11.0\System.Collections.pdb source: System.Collections.dll.27.dr
                                Source: Binary string: /_/src/Serilog/obj/Release/netstandard2.1/Serilog.pdb source: AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C74F0000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Primitives/net6.0-Release/Microsoft.Extensions.Primitives.pdbSHA256*J source: Microsoft.Extensions.Primitives.dll.27.dr
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2527496737.0000020DBBD22000.00000002.00000001.01000000.00000023.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\TicketingPackageExtensions\obj\Release\TicketingPackageExtensions.pdb source: AgentPackageTicketing.exe, 00000033.00000002.3451431497.000001E995C52000.00000002.00000001.01000000.0000003D.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi, 6d2163.msi.2.dr, ateraAgentSetup64_1_8_7_2.msi.44.dr
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection\4.1.2.0\System.Reflection.pdbH,b, T,_CorDllMainmscoree.dll source: System.Reflection.dll.27.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdb source: AgentPackageInternalPoller.exe, 0000003A.00000002.2863333534.0000022974172000.00000002.00000001.01000000.00000036.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection.Extensions\4.0.1.0\System.Reflection.Extensions.pdb source: System.Reflection.Extensions.dll.27.dr
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.3032544207.000001F8D8709000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Contracts\4.0.1.0\System.Diagnostics.Contracts.pdb source: System.Diagnostics.Contracts.dll.27.dr
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb source: AgentPackageTicketing.exe, 00000033.00000000.2747579281.000001E995442000.00000002.00000001.01000000.00000028.sdmp
                                Source: BouncyCastle.Crypto.dll.2.drStatic PE information: 0xE49A52B3 [Sun Jul 15 06:22:43 2091 UTC]
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B601910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,37_2_00007FFD8B601910
                                Source: stdpms.sys.2.drStatic PE information: section name: NONPAGED
                                Source: stdpms.sys0.2.drStatic PE information: section name: NONPAGED
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_06E784A1 push es; ret 5_3_06E784B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FFD34445FE4 push eax; ret 14_2_00007FFD34446014
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FFD3444700E push ds; iretd 14_2_00007FFD3444700F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FFD3444196C push eax; ret 14_2_00007FFD34441984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FFD34440296 push es; iretd 14_2_00007FFD34440298
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FFD344402E8 push es; iretd 14_2_00007FFD344402E9
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FFD34440421 push eax; ret 14_2_00007FFD34440444
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FFD34440C51 push eax; ret 14_2_00007FFD34440C74
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04D90E6C push ebp; retf 17_3_04D91966
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04D91440 push esp; retf 17_3_04D914BE
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04D9310C push edi; retf 17_3_04D9397E
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04D90440 push edx; retf 17_3_04D9044E
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04D9247B push edx; retf 17_3_04D92486
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04D9246F push esi; iretd 17_3_04D9247A
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04D92463 push ebp; iretd 17_3_04D9246A
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04D920AB push ebp; retf 17_3_04D920AE
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04D9225B push edx; retf 17_3_04D92266
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04D92210 push ebp; retf 17_3_04D9221E
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04D923B3 push edx; retf 17_3_04D923B6
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04D91431 push esp; retf 17_3_04D9143E
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04D9162B push edx; retf 17_3_04D9162E
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04D91077 push edx; retf 17_3_04D9107E
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04D91DB0 push ebp; retf 17_3_04D91DBE
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04D91D03 push ebp; retf 17_3_04D91D0E
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04D91E1B push ebp; retf 17_3_04D91E1E
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04D91FA3 push ebp; retf 17_3_04D91FA6
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04D91958 push ebp; retf 17_3_04D91966
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04D91AFB push esp; retf 17_3_04D91AFE
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04D91A48 push esp; retf 17_3_04D91AA6
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04D91A3B push esp; retf 17_3_04D91A46
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04D93A29 push ebp; retf 17_3_04D93A36

                                Persistence and Installation Behavior

                                barindex
                                Creates files in the system32 config directory
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1A374813EDB1A6631387E414D3E73232
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1A374813EDB1A6631387E414D3E73232
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\329B6147266C1E26CD774EA22B79EC2E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\329B6147266C1E26CD774EA22B79EC2E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSystemTools.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log
                                Sample is not signed and drops a device driver
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\64bits\stgamepad.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxywddm.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxywddm.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxywddm.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxywddm.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\64bits\stdpms.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\32bits\stvad.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\64bits\stvad.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\32bits\stvad.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\64bits\stvad.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\32bits\stvspk.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\64bits\stvspk.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\hidkmdf.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\hidkmdf.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\sthid.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PkgHelper.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Physical.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppAnnotation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdbook.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\WBAppVidRec.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x86.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1667.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdsmplui.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI4EF0.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\dbghelp.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\my_setup.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdnup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperEx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiHelper.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\avutil-55.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppBrowser.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\stprintmon.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdscale.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdscale.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2299.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2299.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\legacy.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdbook.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\64bits\stgamepad.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\my_setup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomCtrl32.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDetect.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 6d216c.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdate.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\stprintmon.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3809.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3887.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE514.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA8EF.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiCaptor.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA92F.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Debug.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 6d216a.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA9FB.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\64bits\stvad.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.ConfigurationExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcelt-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsbVhciCtrl64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI31D4.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUACCheck.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdsmplui.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI35E4.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2703.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdsmplui.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\XDColMan.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.Extensions.ManagedClient.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSocketCtrl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4A60.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\XDColMan.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcrypto-3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\Mirror2Extend.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2828.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1C83.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Logging.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libx264-116.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 6d216d.rbf (copy)Jump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI35E4.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4ACE.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF717.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdwmark.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2828.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Abstractions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB640.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.CommandLine.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdwmark.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppBS.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libmp4v2.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppED.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2828.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperExx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxywddm.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\64bits\stvad.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRChat.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5020.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.Abstractions.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2299.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\PrnPort.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_iddcx.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdbook.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1667.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.EnvironmentVariables.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\qrcodelib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdscale.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsb.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libssl-3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x64\SRCredentialProvider.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrl.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\XDColMan.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SROpus.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\64bits\stdpms.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264Wrapper.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI30B9.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\32bits\stvad.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 6d216b.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\swresample-2.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI35E4.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRApp.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 6d2167.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd32.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\hidkmdf.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrlEx.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\setupdrv.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI4EF0.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2828.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\32bits\stvspk.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd32.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\hidkmdf.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK_x86.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\64bits\stvspk.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\32bits\stvad.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdnup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsbVhciCtrl32.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2828.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\stprintmon.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Binder.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdsmplui.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdbook.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_iddcx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\XDColMan.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxyumd32.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd32.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3242.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI4EF0.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppCam.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1667.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxywddm.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppFileHound.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF486.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_iddcx.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\Temp\SplashtopStreamer.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\stprintmon.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4B4C.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4EF0.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Sinks.File.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdscale.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAdemWrapper.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioChat.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\my_setup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Elevator.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.UserSecrets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\NvFBC.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\setupdrv.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdnup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PinShortCut.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x64\SRWacomUtil64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcurl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\sthid.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxywddm.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdateInstall.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\my_setup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\setupdrv.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeatMini.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI35E4.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomUtil32.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 6d2169.rbf (copy)Jump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2299.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdwmark.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2299.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsb.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.FileExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\fips.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\setupdrv.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\WdfCoInstaller01009.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3973.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxywddm.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI4EF0.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioResample.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x86\SRCredentialProvider.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\WdfCoInstaller01009.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI35E4.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxyumd.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\amf-vcedem-win32.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileSystemGlobbing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdnup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x64\SRWacomCtrl64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdwmark.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_iddcx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4B4C.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4EF0.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5020.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2299.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI4EF0.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2299.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2299.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE514.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA8EF.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI35E4.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA92F.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1667.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1667.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4ACE.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2828.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4A60.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1667.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF717.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI30B9.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI4EF0.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1667.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI4EF0.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2828.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF486.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI35E4.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA9FB.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI35E4.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\Temp\SplashtopStreamer.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2299.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3973.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1667.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2828.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2828.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1C83.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI31D4.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI35E4.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3242.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2828.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2299.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI4EF0.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2703.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB640.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI35E4.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3809.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3887.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\AteraSetupLog.txt
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\license.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\license.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\license.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\license.txtJump to behavior

                                Boot Survival

                                barindex
                                Installs Task Scheduler Managed Wrapper
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B5FA524 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,37_2_00007FFD8B5FA524
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX

                                Malware Analysis System Evasion

                                barindex
                                Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PhysicalAdapter,Name,PNPDeviceID from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PhysicalAdapter,Name,PNPDeviceID from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service
                                Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_SoundDevice
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_SoundDevice
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 1E7E6060000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 1E7FF920000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 2C2ADD30000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 2C2C61F0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1E1AE460000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1E1C6C00000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 14E16FB0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 14E2F590000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 229E3C20000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 229FC030000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 1F1C6AC0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 1F1DEBF0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1D11B670000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1D133C60000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 20DA2B50000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 20DBB190000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 24B83CE0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 24B9BEE0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeMemory allocated: 210E96D0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeMemory allocated: 210E9FD0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 1F8BF8A0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 1F8D7FC0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 1FA5ACA0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 1FA73490000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeMemory allocated: 1E995860000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeMemory allocated: 1E9ADC80000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeMemory allocated: 1A3ADF90000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeMemory allocated: 1A3C64A0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMemory allocated: 22973800000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMemory allocated: 229739D0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 30_2_00007FFD3423A090 rdtsc 30_2_00007FFD3423A090
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599867
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599547
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599437
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599328
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599218
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599109
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598781
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598671
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598561
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598376
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598219
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598076
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597968
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597750
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597531
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597421
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597312
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597203
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596874
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596546
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596437
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599719
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599609
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599499
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599381
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599047
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598866
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598749
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598531
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598422
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598312
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598203
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597973
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597844
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597734
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597624
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597515
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597406
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597291
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597183
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597078
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596935
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596812
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596655
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596545
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596436
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596323
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596218
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596094
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595968
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595848
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595702
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595557
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595449
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595266
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595140
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594873
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594720
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594584
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594437
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594311
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594203
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593836
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593715
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593541
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593422
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593312
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593200
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593092
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592762
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592643
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592422
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592292
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592181
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 591969
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 591391
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 591164
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590953
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590800
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590639
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590498
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590381
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590124
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590015
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 589888
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599842
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599727
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599623
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599500
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599366
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599265
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599148
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599016
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598844
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598719
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598592
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598456
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598344
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598235
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598094
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597957
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597836
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597605
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597485
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597261
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596586
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596453
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596231
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596052
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595905
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595780
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595657
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595469
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595352
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595230
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595110
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594969
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594842
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594699
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594584
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594188
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594045
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593931
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593827
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593719
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593608
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593497
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593365
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593171
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593045
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592931
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592819
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592716
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592610
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592485
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592360
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592235
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592110
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591985
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591735
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591610
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591485
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591360
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591235
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591110
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590985
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590852
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590750
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590641
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590525
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 6027
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 3658
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 6398
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 3175
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 4393
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 3268
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 3052
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 1577
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 1355
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeWindow / User API: threadDelayed 6839
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeWindow / User API: threadDelayed 2765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeWindow / User API: threadDelayed 7691
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeWindow / User API: threadDelayed 1993
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PkgHelper.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Physical.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppAnnotation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdbook.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\WBAppVidRec.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x86.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1667.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdsmplui.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4EF0.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\my_setup.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperEx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdnup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiHelper.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\avutil-55.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppBrowser.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\stprintmon.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdscale.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdscale.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2299.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2299.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\legacy.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdbook.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\64bits\stgamepad.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\my_setup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomCtrl32.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDetect.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 6d216c.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdate.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\stprintmon.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3809.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3887.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE514.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA8EF.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiCaptor.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA92F.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Debug.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 6d216a.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA9FB.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\64bits\stvad.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.ConfigurationExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcelt-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsbVhciCtrl64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI31D4.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUACCheck.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI35E4.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdsmplui.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2703.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdsmplui.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\XDColMan.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.Extensions.ManagedClient.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSocketCtrl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4A60.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\XDColMan.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcrypto-3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\Mirror2Extend.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2828.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1C83.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Logging.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libx264-116.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 6d216d.rbf (copy)Jump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI35E4.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4ACE.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF717.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdwmark.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2828.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Abstractions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB640.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.CommandLine.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdwmark.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppBS.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libmp4v2.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppED.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2828.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperExx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxywddm.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\64bits\stvad.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRChat.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5020.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.Abstractions.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2299.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\PrnPort.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_iddcx.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdbook.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1667.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.EnvironmentVariables.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\qrcodelib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdscale.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsb.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libssl-3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x64\SRCredentialProvider.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrl.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\XDColMan.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SROpus.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\64bits\stdpms.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI30B9.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264Wrapper.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\32bits\stvad.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 6d216b.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\swresample-2.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI35E4.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRApp.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\hidkmdf.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd32.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrlEx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\setupdrv.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4EF0.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2828.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\32bits\stvspk.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd32.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\hidkmdf.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK_x86.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\64bits\stvspk.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\32bits\stvad.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdnup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsbVhciCtrl32.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2828.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\stprintmon.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Binder.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdsmplui.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1667.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdbook.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_iddcx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\XDColMan.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd32.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxyumd32.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3242.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4EF0.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppCam.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1667.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxywddm.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppFileHound.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF486.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeDropped PE file which has not been started: C:\Windows\Temp\SplashtopStreamer.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_iddcx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\stprintmon.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4B4C.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4EF0.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Sinks.File.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdscale.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAdemWrapper.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioChat.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\my_setup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Elevator.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.UserSecrets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\NvFBC.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\setupdrv.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdnup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PinShortCut.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x64\SRWacomUtil64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcurl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\sthid.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Abstractions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxywddm.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdateInstall.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\setupdrv.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\my_setup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeatMini.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI35E4.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomUtil32.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 6d2169.rbf (copy)Jump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2299.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdwmark.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2299.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsb.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.FileExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\fips.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\setupdrv.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\WdfCoInstaller01009.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3973.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxywddm.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4EF0.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioResample.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x86\SRCredentialProvider.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\WdfCoInstaller01009.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1667.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI35E4.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxyumd.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\amf-vcedem-win32.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileSystemGlobbing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x64\SRWacomCtrl64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdnup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdwmark.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_iddcx.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeRegistry key enumerated: More than 126 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 2720Thread sleep time: -30000s >= -30000sJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2436Thread sleep time: -60000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3708Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5036Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6852Thread sleep count: 6027 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6852Thread sleep count: 3658 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3468Thread sleep count: 33 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3468Thread sleep time: -30437127721620741s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 4508Thread sleep time: -80000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5028Thread sleep time: -3689348814741908s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1624Thread sleep time: -180000s >= -30000s
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 3212Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3748Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3492Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7036Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6412Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5564Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5588Thread sleep count: 6398 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5588Thread sleep count: 3175 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6412Thread sleep count: 34 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6412Thread sleep time: -31359464925306218s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6412Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5016Thread sleep time: -100000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6480Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5008Thread sleep time: -90000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6952Thread sleep count: 4393 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1216Thread sleep count: 3268 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -21213755684765971s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -599867s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -599765s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -599656s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -599547s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -599437s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -599328s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -599218s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -599109s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -599000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -598890s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -598781s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -598671s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -598561s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -598376s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -598219s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -598076s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -597968s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -597859s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -597750s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -597640s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -597531s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -597421s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -597312s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -597203s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -597093s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -596984s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -596874s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -596765s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -596656s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -596546s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676Thread sleep time: -596437s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1808Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7012Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 5984Thread sleep count: 3052 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 2896Thread sleep time: -11990383647911201s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 2896Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 5984Thread sleep count: 1577 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 1616Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 3560Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1808Thread sleep count: 1355 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7012Thread sleep count: 230 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1576Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 404Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep count: 37 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -34126476536362649s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6076Thread sleep count: 6839 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -599859s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -599719s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -599609s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6076Thread sleep count: 2765 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -599499s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -599381s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -599250s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -599047s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -598866s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -598749s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -598640s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -598531s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -598422s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -598312s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -598203s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -598093s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -597973s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -597844s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -597734s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -597624s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -597515s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -597406s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -597291s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -597183s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -597078s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -596935s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -596812s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -596655s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -596545s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -596436s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -596323s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -596218s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -596094s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -595968s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -595848s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -595702s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -595557s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -595449s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -595266s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -595140s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -595031s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -594873s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -594720s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -594584s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -594437s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -594311s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -594203s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -594093s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -593984s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -593836s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -593715s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -593541s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -593422s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -593312s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -593200s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -593092s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -592984s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -592875s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -592762s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -592643s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -592422s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -592292s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -592181s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -591969s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -591391s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -591164s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -590953s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -590800s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -590639s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -590498s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -590381s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -590250s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -590124s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -590015s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2540Thread sleep time: -589888s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 3564Thread sleep time: -60000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 4776Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 5704Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 6048Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 2848Thread sleep count: 7691 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep count: 37 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -34126476536362649s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -599842s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -599727s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -599623s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 2848Thread sleep count: 1993 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -599500s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -599366s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -599265s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -599148s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -599016s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -598844s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -598719s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -598592s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -598456s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -598344s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -598235s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -598094s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -597957s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -597836s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -597605s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -597485s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -597261s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -596586s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -596453s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -596231s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -596052s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -595905s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -595780s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -595657s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -595469s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -595352s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -595230s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -595110s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -594969s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -594842s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -594699s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -594584s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -594188s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -594045s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -593931s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -593827s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -593719s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -593608s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -593497s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -593365s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -593171s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -593045s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -592931s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -592819s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -592716s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -592610s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -592485s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -592360s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -592235s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -592110s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -591985s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -591860s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -591735s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -591610s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -591485s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -591360s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -591235s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -591110s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -590985s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -590852s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -590750s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -590641s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1816Thread sleep time: -590525s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe TID: 2960Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 3516Thread sleep count: 281 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 6436Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 3800Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Manufacturer,SoftwareElementID,ReleaseDate from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Manufacturer,SoftwareElementID,ReleaseDate from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599867
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599547
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599437
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599328
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599218
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599109
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598781
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598671
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598561
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598376
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598219
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598076
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597968
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597750
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597531
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597421
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597312
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597203
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596874
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596546
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596437
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599719
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599609
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599499
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599381
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599047
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598866
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598749
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598531
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598422
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598312
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598203
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597973
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597844
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597734
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597624
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597515
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597406
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597291
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597183
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597078
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596935
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596812
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596655
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596545
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596436
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596323
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596218
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596094
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595968
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595848
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595702
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595557
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595449
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595266
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595140
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594873
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594720
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594584
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594437
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594311
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594203
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593836
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593715
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593541
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593422
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593312
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593200
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593092
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592762
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592643
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592422
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592292
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592181
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 591969
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 591391
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 591164
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590953
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590800
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590639
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590498
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590381
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590124
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590015
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 589888
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599842
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599727
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599623
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599500
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599366
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599265
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599148
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599016
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598844
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598719
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598592
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598456
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598344
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598235
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598094
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597957
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597836
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597605
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597485
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597261
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596586
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596453
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596231
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596052
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595905
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595780
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595657
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595469
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595352
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595230
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595110
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594969
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594842
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594699
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594584
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594188
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594045
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593931
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593827
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593719
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593608
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593497
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593365
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593171
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593045
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592931
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592819
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592716
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592610
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592485
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592360
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592235
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592110
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591985
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591735
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591610
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591485
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591360
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591235
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591110
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590985
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590852
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590750
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590641
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590525
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeThread delayed: delay time: 922337203685477
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE247000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service0
                                Source: AgentPackageAgentInformation.exe, 00000028.00000002.2919707171.0000024B9C877000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllmm
                                Source: AgentPackageAgentInformation.exe, 00000028.00000002.2920299509.0000024B9C889000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                                Source: svchost.exe, 00000027.00000002.3430007183.0000020AAC24F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @SetPropValue.FriendlyName("VMware Virtual disk");
                                Source: AgentPackageAgentInformation.exe, 0000001E.00000002.2573571076.000001D1345C0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000028.00000002.2875733789.0000024B83646000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
                                Source: svchost.exe, 00000027.00000003.2832160684.0000020AAC2D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c29c2bea38880a8a16ee9f37bec9PCI Slo`
                                Source: svchost.exe, 00000027.00000002.3435884664.0000020AAC2B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )@"VMware"s
                                Source: AgentPackageAgentInformation.exe, 0000001E.00000002.2574968221.000001D134673000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000028.00000002.2916708621.0000024B9C7AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceSynchronizes the system time of this virtual machine with the system time of the physical computer.Hyper-V Time Synchronization ServicevmictimesyncStopped
                                Source: svchost.exe, 00000027.00000003.2832160684.0000020AAC2D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMware20,1NoneVMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
                                Source: AteraAgent.exe, 0000000D.00000002.2272647183.000001E7FFE97000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2272647183.000001E7FFE32000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2272647183.000001E7FFDB0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6ECB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2716483231.000002C2C6A0D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.2573862381.000001D1345EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: svchost.exe, 00000027.00000003.2832160684.0000020AAC2D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMware20,1NoneVMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20s
                                Source: AgentPackageUpgradeAgent.exe, 0000002C.00000002.2975453753.000001F8BF5FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllLISTLISTLISTLIST
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.2377783987.000001E1C7319000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllVVsa
                                Source: AgentPackageAgentInformation.exe, 00000028.00000002.2916708621.0000024B9C7AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicheartbeatJ
                                Source: AgentPackageAgentInformation.exe, 00000028.00000002.2920299509.0000024B9C889000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk
                                Source: AgentPackageAgentInformation.exe, 0000001E.00000002.2562820603.000001D11B4A6000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000028.00000002.2875733789.0000024B83646000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.
                                Source: AgentPackageAgentInformation.exe, 00000028.00000002.2881181090.0000024B83F63000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: |Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.
                                Source: AgentPackageAgentInformation.exe, 00000028.00000002.2875733789.0000024B83646000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a platform for communication between the virtual machine and the operating system running on the physical computer.Hyper-V Remote Desktop Virtualization ServicevmicrdvStopped.3
                                Source: AgentPackageSTRemote.exe, 0000002A.00000002.3493325722.00000210EA750000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllUU
                                Source: AgentPackageAgentInformation.exe.14.drBinary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2523329995.0000020DBBA14000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE247000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V PowerShell Direct Service0
                                Source: AgentPackageAgentInformation.exe, 00000028.00000002.2916708621.0000024B9C7AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicshutdown
                                Source: Atera.AgentPackages.CommonLib.dll0.27.drBinary or memory string: vmware
                                Source: svchost.exe, 00000027.00000002.3430007183.0000020AAC24F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JSetPropValue.Manufacturer("VMware");
                                Source: svchost.exe, 00000027.00000002.3435884664.0000020AAC2B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "@SetPropValue.FriendlyName("VMware Virtual disk");
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2509948593.0000020DA327D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
                                Source: svchost.exe, 00000027.00000002.3434677777.0000020AAC2A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk6000C29C2BEA38880A8A16EE9F37BEC90VMwareVirtual disk
                                Source: AgentPackageAgentInformation.exe, 0000001E.00000002.2573813072.000001D1345E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicshutdownvmicshutdownStopped`
                                Source: AgentPackageAgentInformation.exe, 00000028.00000002.2881181090.0000024B83F63000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Time Synchronization Service
                                Source: AgentPackageAgentInformation.exe, 00000028.00000002.2914154454.0000024B9C735000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicvss
                                Source: AgentPackageAgentInformation.exe, 00000028.00000002.2920299509.0000024B9C889000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MSFT_PhysicalDisk{1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\SPACES_PhysicalDisk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{82094220-2cdd-02cd-b432-0b988e9f4438}"6000C29C2BEA38880A8A16EE9F37BEC9VMware Virtual diskVMwareVirtual disk6000c29c2bea38880a8a16ee9f37bec9PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE247000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface0
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE247000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Volume Shadow Copy Requestor0
                                Source: AgentPackageAgentInformation.exe, 0000001E.00000002.2573571076.000001D1345C0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000028.00000002.2881181090.0000024B83F63000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000028.00000002.2875733789.0000024B83646000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
                                Source: AgentPackageAgentInformation.exe, 0000001E.00000002.2574968221.000001D134673000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Provides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
                                Source: svchost.exe, 00000027.00000002.3439750640.0000020AAC2ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @friendlyname"vmware virtual disk"lse
                                Source: AgentPackageAgentInformation.exe, 0000001E.00000002.2574968221.000001D134673000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000028.00000002.2881181090.0000024B83F63000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
                                Source: AgentPackageAgentInformation.exe, 00000028.00000002.2881181090.0000024B83F63000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -Hyper-V Remote Desktop Virtualization Service
                                Source: svchost.exe, 00000027.00000003.2837791383.0000020AAC41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c29c2bea38880a8a16ee9f37bec9PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 006000C29C2BEA38880A8A16EE9F37BEC9
                                Source: AgentPackageAgentInformation.exe, 00000028.00000002.2913941583.0000024B9C72C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
                                Source: svchost.exe, 00000027.00000002.3430007183.0000020AAC24F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dSetPropValue.FriendlyName("VMware Virtual disk");
                                Source: svchost.exe, 00000027.00000002.3430007183.0000020AAC24F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c29c2bea38880a8a16ee9f37bec9PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN
                                Source: svchost.exe, 00000027.00000002.3439750640.0000020AAC2ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &@SetPropValue.Manufacturer("VMware");
                                Source: AgentPackageAgentInformation.exe, 00000028.00000002.2881181090.0000024B83F63000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.@T]
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE247000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -Hyper-V Remote Desktop Virtualization Service0
                                Source: AgentPackageAgentInformation.exe, 00000028.00000002.2881181090.0000024B83F63000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
                                Source: AgentPackageAgentInformation.exe, 0000001E.00000002.2574061150.000001D134608000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicvssvmicvssStopped
                                Source: AgentPackageAgentInformation.exe, 00000028.00000002.2881181090.0000024B83F63000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "Win32_Service.Name="vmicheartbeat"p^
                                Source: AgentPackageAgentInformation.exe, 0000001E.00000002.2574968221.000001D134673000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000028.00000002.2916708621.0000024B9C7AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
                                Source: AgentPackageAgentInformation.exe, 00000028.00000002.2875733789.0000024B83646000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.Hyper-V Data Exchange ServicevmickvpexchangeStoppedll
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE247000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service0
                                Source: AgentPackageAgentInformation.exe, 0000001E.00000002.2574968221.000001D134673000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.Hyper-V PowerShell Direct ServicevmicvmsessionStopped
                                Source: rundll32.exe, 00000011.00000002.2317307752.0000000002F9B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
                                Source: AgentPackageAgentInformation.exe, 0000001E.00000002.2573571076.000001D1345C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a platform for communication between the virtual machine and the operating system running on the physical computer.Hyper-V Remote Desktop Virtualization ServicevmicrdvStoppedW
                                Source: rundll32.exe, 00000005.00000002.2208468543.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2381295696.0000014E2FEBC000.00000004.00000020.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 0000003A.00000002.2864037417.0000022974260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                Source: svchost.exe, 00000027.00000003.2531459589.0000020AAC2B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@"VMware Virtual disk"
                                Source: AteraAgent.exe, 0000001B.00000002.2987448632.000001F1DF47E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllgg
                                Source: AgentPackageAgentInformation.exe, 00000028.00000002.2914154454.0000024B9C735000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicvssvmicvssStoppedk
                                Source: AgentPackageAgentInformation.exe, 0000001E.00000002.2562820603.000001D11B4A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.HV Host ServiceHvHostStopped
                                Source: svchost.exe, 00000027.00000002.3434677777.0000020AAC2A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                                Source: AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWJf
                                Source: AgentPackageAgentInformation.exe, 0000001E.00000002.2575675568.000001D1346F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWPr%SystemRoot%\system32\mswsock.dll CommStatusInfo
                                Source: svchost.exe, 00000027.00000002.3434677777.0000020AAC2A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c29c2bea38880a8a16ee9f37bec9PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: AgentPackageAgentInformation.exe, 00000028.00000002.2916708621.0000024B9C7AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.Hyper-V PowerShell Direct ServicevmicvmsessionStopped
                                Source: AteraAgent.exe, 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2509482920.0000020DA2FF2000.00000002.00000001.01000000.0000001C.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2465929079.0000020DA27B2000.00000002.00000001.01000000.0000001A.sdmp, Atera.AgentPackages.CommonLib.dll0.27.drBinary or memory string: get_IsVirtualMachine
                                Source: svchost.exe, 00000027.00000003.2531459589.0000020AAC2B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *@SetPropValue.FriendlyName("VMware Virtual disk");
                                Source: AgentPackageAgentInformation.exe, 0000001E.00000002.2574968221.000001D134673000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.Hyper-V Guest Service InterfacevmicguestinterfaceStopped
                                Source: AgentPackageAgentInformation.exe, 00000028.00000002.2881181090.0000024B83F63000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicvss"p^
                                Source: AgentPackageAgentInformation.exe, 00000028.00000002.2913941583.0000024B9C72C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicheartbeatvmicheartbeatStoppedvice"
                                Source: AgentPackageAgentInformation.exe, 0000001E.00000002.2574968221.000001D134673000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000028.00000002.2916708621.0000024B9C7AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
                                Source: AgentPackageAgentInformation.exe, 00000028.00000002.2881181090.0000024B83F63000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Win32_Service.Name="vmicshutdown"p^
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE247000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Time Synchronization Service0
                                Source: AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE247000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service0
                                Source: AgentPackageAgentInformation.exe, 0000001E.00000002.2573571076.000001D1345C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.Hyper-V Data Exchange ServicevmickvpexchangeStopped
                                Source: AgentPackageAgentInformation.exe, 00000028.00000002.2881181090.0000024B83F63000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V PowerShell Direct Service
                                Source: svchost.exe, 00000027.00000003.2531717066.0000020AAC2EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SPACES_PhysicalDisk{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{82094220-2cdd-02cd-b432-0b988e9f4438}6000C29C2BEA38880A8A16EE9F37BEC9VMware Virtual diskVMwareVirtual disk6000c29c2bea38880a8a16ee9f37bec9PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: AgentPackageAgentInformation.exe, 00000028.00000002.2875733789.0000024B83646000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.HV Host ServiceHvHostStoppede*
                                Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 30_2_00007FFD3423A090 rdtsc 30_2_00007FFD3423A090
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B5F7B4C __crtCaptureCurrentContext,IsDebuggerPresent,__crtUnhandledException,37_2_00007FFD8B5F7B4C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B63AFB0 OutputDebugStringA,GetProcessHeap,OutputDebugStringA,GetLastError,lstrlenW,HeapAlloc,OutputDebugStringA,GetEnvironmentVariableW,OutputDebugStringA,GetLastError,OutputDebugStringA,GetModuleFileNameW,lstrlenW,OutputDebugStringA,lstrcatW,lstrcatW,lstrcatW,GetFileAttributesW,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,WinVerifyTrust,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetEnvironmentVariableW,OutputDebugStringA,GetCurrentThreadId,GetCurrentProcessId,wsprintfW,GetEnvironmentVariableW,SetEnvironmentVariableW,_errno,_errno,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetLastError,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,HeapFree,_snprintf,OutputDebugStringA,37_2_00007FFD8B63AFB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B601910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,37_2_00007FFD8B601910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B63AFB0 OutputDebugStringA,GetProcessHeap,OutputDebugStringA,GetLastError,lstrlenW,HeapAlloc,OutputDebugStringA,GetEnvironmentVariableW,OutputDebugStringA,GetLastError,OutputDebugStringA,GetModuleFileNameW,lstrlenW,OutputDebugStringA,lstrcatW,lstrcatW,lstrcatW,GetFileAttributesW,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,WinVerifyTrust,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetEnvironmentVariableW,OutputDebugStringA,GetCurrentThreadId,GetCurrentProcessId,wsprintfW,GetEnvironmentVariableW,SetEnvironmentVariableW,_errno,_errno,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetLastError,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,HeapFree,_snprintf,OutputDebugStringA,37_2_00007FFD8B63AFB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B5FACD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,37_2_00007FFD8B5FACD4
                                Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: page read and write | page guardJump to behavior

                                HIPS / PFW / Operating System Protection Evasion

                                barindex
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.119.152.241 443
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="apae.leticiarozanski@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000LJyPNIA1" /AgentId="b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1"Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "8f7de333-83ca-4d02-94ef-1b8545d50f26" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "313c2f49-e11b-4184-83f8-24833206108a" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "f56981de-298d-4b18-9699-96fd97645b14" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "6a977784-500a-4b6f-98da-3b8105c955fb" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "a383a7a9-5802-447a-aa75-24c8264d606b" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "369c9bdf-f4d2-425d-a5d4-bce6b2c11f23" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "5f6f6507-8a14-439a-936b-7c9abb12dc95" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "6f300cb5-dcd2-4a4e-a623-2be92e21fc41" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "a5cfd08f-59bf-4f7d-aca9-3371418cc30f" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "a742f8fb-c2f7-4e35-9df0-01c83d8be31e" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "752b1c43-f6f1-475b-a99d-893bafb3d192" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000LJyPNIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="apae.leticiarozanski@gmail.com" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000ljypnia1" /agentid="b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "8f7de333-83ca-4d02-94ef-1b8545d50f26" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000ljypnia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "313c2f49-e11b-4184-83f8-24833206108a" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000ljypnia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "f56981de-298d-4b18-9699-96fd97645b14" agent-api.atera.com/production 443 or8ixli90mf "identified" 001q300000ljypnia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "6a977784-500a-4b6f-98da-3b8105c955fb" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui" 001q300000ljypnia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "a383a7a9-5802-447a-aa75-24c8264d606b" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000ljypnia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "369c9bdf-f4d2-425d-a5d4-bce6b2c11f23" agent-api.atera.com/production 443 or8ixli90mf "generalinfo" 001q300000ljypnia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "5f6f6507-8a14-439a-936b-7c9abb12dc95" agent-api.atera.com/production 443 or8ixli90mf "downloadifneeded" 001q300000ljypnia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageupgradeagent\agentpackageupgradeagent.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "6f300cb5-dcd2-4a4e-a623-2be92e21fc41" agent-api.atera.com/production 443 or8ixli90mf "checkforupdates" 001q300000ljypnia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageticketing\agentpackageticketing.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "a5cfd08f-59bf-4f7d-aca9-3371418cc30f" agent-api.atera.com/production 443 or8ixli90mf "maintain" 001q300000ljypnia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagesystemtools\agentpackagesystemtools.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "a742f8fb-c2f7-4e35-9df0-01c83d8be31e" agent-api.atera.com/production 443 or8ixli90mf "probe" 001q300000ljypnia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageinternalpoller\agentpackageinternalpoller.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "752b1c43-f6f1-475b-a99d-893bafb3d192" agent-api.atera.com/production 443 or8ixli90mf "pollall" 001q300000ljypnia1
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="apae.leticiarozanski@gmail.com" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000ljypnia1" /agentid="b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1"Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "8f7de333-83ca-4d02-94ef-1b8545d50f26" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000ljypnia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "313c2f49-e11b-4184-83f8-24833206108a" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000ljypnia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "f56981de-298d-4b18-9699-96fd97645b14" agent-api.atera.com/production 443 or8ixli90mf "identified" 001q300000ljypnia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "6a977784-500a-4b6f-98da-3b8105c955fb" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui" 001q300000ljypnia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "a383a7a9-5802-447a-aa75-24c8264d606b" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000ljypnia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "369c9bdf-f4d2-425d-a5d4-bce6b2c11f23" agent-api.atera.com/production 443 or8ixli90mf "generalinfo" 001q300000ljypnia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "5f6f6507-8a14-439a-936b-7c9abb12dc95" agent-api.atera.com/production 443 or8ixli90mf "downloadifneeded" 001q300000ljypnia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageupgradeagent\agentpackageupgradeagent.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "6f300cb5-dcd2-4a4e-a623-2be92e21fc41" agent-api.atera.com/production 443 or8ixli90mf "checkforupdates" 001q300000ljypnia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageticketing\agentpackageticketing.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "a5cfd08f-59bf-4f7d-aca9-3371418cc30f" agent-api.atera.com/production 443 or8ixli90mf "maintain" 001q300000ljypnia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagesystemtools\agentpackagesystemtools.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "a742f8fb-c2f7-4e35-9df0-01c83d8be31e" agent-api.atera.com/production 443 or8ixli90mf "probe" 001q300000ljypnia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageinternalpoller\agentpackageinternalpoller.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "752b1c43-f6f1-475b-a99d-893bafb3d192" agent-api.atera.com/production 443 or8ixli90mf "pollall" 001q300000ljypnia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B5F739C cpuid 37_2_00007FFD8B5F739C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI2299.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI2299.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI2828.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI2828.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI2828.tmp-\Newtonsoft.Json.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI35E4.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI35E4.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI4EF0.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI4EF0.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI4EF0.tmp-\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI1667.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI1667.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B5FCC04 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,37_2_00007FFD8B5FCC04
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B5F85D4 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,_malloc_crt,_invoke_watson,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,37_2_00007FFD8B5F85D4
                                Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct

                                Remote Access Functionality

                                barindex
                                Yara detected AteraAgent
                                Source: Yara matchFile source: 44.0.AgentPackageUpgradeAgent.exe.1f8bf4a0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 56.2.AgentPackageSystemTools.exe.1a3ae2b0000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 42.0.AgentPackageSTRemote.exe.210e9490000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 51.0.AgentPackageTicketing.exe.1e995440000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 27.2.AteraAgent.exe.1f1c70c3f40.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 27.2.AteraAgent.exe.1f1c7495648.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 21.0.AgentPackageAgentInformation.exe.1e1ae040000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 56.0.AgentPackageSystemTools.exe.1a3adac0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 51.2.AgentPackageTicketing.exe.1e995c50000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 13.0.AteraAgent.exe.1e7e5d10000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 37.2.AgentPackageMonitoring.exe.20da2ff0000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 21.2.AgentPackageAgentInformation.exe.1e1ae4a0000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 58.0.AgentPackageInternalPoller.exe.22973020000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 37.0.AgentPackageMonitoring.exe.20da27b0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 27.2.AteraAgent.exe.1f1c73e35e8.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0000002E.00000002.2807052058.00000189B6BD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.3008930987.000001F1DF8CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2691250880.000002C2AE611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2528115170.0000020DBC9F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2509482920.0000020DA2FF2000.00000002.00000001.01000000.0000001C.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.3008930987.000001F1DF840000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2957965783.0000024229A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2874958943.0000024B835C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2878015481.000001F1C73CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2376731863.000001E1AE540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2509356323.0000020DA2B60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000002.2798377871.000001A3ADBB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.3481780585.00000210E973F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2528225899.0000020DBCC10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.3008930987.000001F1DF8C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2565228250.000001D11BE16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2546206898.00007FFD8B789000.00000004.00000001.01000000.0000001B.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2691250880.000002C2AE660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2878015481.000001F1C7115000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2875733789.0000024B83609000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2390414349.00000229E40B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2682984050.000000F0FD1C5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3425340630.000001E9955B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.3493325722.00000210EA7C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2527928592.0000020DBC7E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2917001268.0000024B9C7CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2875733789.0000024B835FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2272647183.000001E7FFE97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3425340630.000001E9955F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2869658928.0000000E78C34000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2689025415.000002C2ADB74000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2488230614.000001549DA13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.3008930987.000001F1DF92E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2878015481.000001F1C765C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3452803258.000001E995CFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2380207514.0000014E17603000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3452803258.000001E995CE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2486036396.000002A4B9A80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.3429292494.0000021080078000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2390284193.00000229E3C50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2691250880.000002C2AE4A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2689025415.000002C2ADAB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000002.2806182437.000001A3AE2B2000.00000002.00000001.01000000.00000031.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2878015481.000001F1C7133000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2272041127.000001E7E79AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2691250880.000002C2AE835000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2488472971.000001549DAF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000002.2798377871.000001A3ADB7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2866625463.0000000E778F4000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2377140928.000001E1AEC83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2837794159.0000022900171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2565228250.000001D11BDBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2212091771.000000000453B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2755903772.000001FA5AB35000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2508125557.0000020DA2926000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2691250880.000002C2AE7FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2565228250.000001D11BE55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2975453753.000001F8BF57C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000003.2790379772.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2565228250.000001D11BE2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.3008930987.000001F1DF8AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2379896713.0000014E16EC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2508125557.0000020DA2941000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2856420159.0000022973140000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2565228250.000001D11BE80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2389642590.00000229E3988000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3425340630.000001E99568D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000003.2487708082.000001549DA17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2878015481.000001F1C7480000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2837794159.0000022900001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2691250880.000002C2AE274000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2881181090.0000024B83EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2523329995.0000020DBBA14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2689025415.000002C2ADB37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2720587451.000002C2C6E7F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2720587451.000002C2C6F1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2984124474.000001F8BF8C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2878015481.000001F1C768E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2878015481.000001F1C6BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2855689243.00000229730F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2689025415.000002C2ADAF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2691250880.000002C2AE466000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2988910791.000001F8C022B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2272041127.000001E7E79D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000002.2798377871.000001A3ADB70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2970305949.00000043724F2000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2759376361.000001FA5AE60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2380207514.0000014E1764F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2273752591.00007FFD342A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2876644505.000001F1C6610000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2870623611.000001F1C63B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2869238463.0000000E78A29000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2878015481.000001F1C713F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2508125557.0000020DA298D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2691250880.000002C2AE587000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2807052058.00000189B6BF3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2878015481.000001F1C764C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2691250880.000002C2AE1F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000002.2805800185.000001A3ADDF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2878015481.000001F1C74E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2271991809.000001E7E6170000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2868924456.0000000E78835000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000002.2806671115.000001A3AE4A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2378892380.0000014E16C58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2562820603.000001D11B469000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2376028304.000001E1AE1B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2912328958.0000024B9C700000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2488230614.000001549D9FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2755903772.000001FA5AACF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.3416990983.000000BD3CEF1000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2376028304.000001E1AE1FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3425340630.000001E995698000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2577506910.000001D134831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2565228250.000001D11C217000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2691250880.000002C2AE60E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2878015481.000001F1C73E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2272041127.000001E7E7A9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2720587451.000002C2C6ECB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3452803258.000001E995C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2987448632.000001F1DF478000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2380207514.0000014E17591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2691250880.000002C2AE584000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3440014244.000001E9956E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2875733789.0000024B835DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2272041127.000001E7E79DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2272041127.000001E7E7A52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2691250880.000002C2AE546000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.3481780585.00000210E96FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2272041127.000001E7E7A86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2565228250.000001D11BC61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2562681422.000001D11B420000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2271356356.000001E7E5F53000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000003.2956930726.000002422909B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2509948593.0000020DA3733000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000002.2209595068.0000000004B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3425340630.000001E9955F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2878015481.000001F1C6C5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2562820603.000001D11B4A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000000.2797664631.0000022973022000.00000002.00000001.01000000.00000030.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2378892380.0000014E16C8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2881181090.0000024B844B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2565228250.000001D11BCF3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2957694594.00000242290B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.3492315539.00000210E9960000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.3032544207.000001F8D86B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000000.2789734652.000001A3ADAC2000.00000002.00000001.01000000.0000002D.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2878015481.000001F1C74F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.3031289027.000001F8D8680000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2691250880.000002C2AE470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000003.2956979140.00000242290B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2378892380.0000014E16C50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2881181090.0000024B83F63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2755903772.000001FA5AAB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2271911673.000001E7E6150000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2864037417.00000229742D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000002.2798377871.000001A3ADBFD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2691250880.000002C2AE5D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2565228250.000001D11BED6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2508125557.0000020DA294F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2870623611.000001F1C63EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2864037417.0000022974260000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.3481780585.00000210E977D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.3429292494.0000021080235000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2271356356.000001E7E5F30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2691250880.000002C2AE6A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2925407151.0000024B9C942000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2975453753.000001F8BF570000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.3429292494.000002108054C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2272041127.000001E7E79A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000000.2354318537.000001E1AE042000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.3481780585.00000210E96F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2562820603.000001D11B507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2878015481.000001F1C767A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2878015481.000001F1C7662000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000002.2319039819.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2856420159.00000229731CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2975453753.000001F8BF5FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2837794159.0000022900238000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2376028304.000001E1AE1D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2376619271.000001E1AE4A2000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2380207514.0000014E17613000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2880411399.0000024B83840000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2509948593.0000020DA327D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2390414349.00000229E4031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2988910791.000001F8C023C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2691250880.000002C2AE382000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3425340630.000001E99563D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000003.2276609080.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2691043768.000002C2ADD80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000000.2226925972.000001E7E5D12000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2688947979.000002C2AD9B0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3451431497.000001E995C52000.00000002.00000001.01000000.0000003D.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2507958039.0000020DA28A0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.3493325722.00000210EA750000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2987448632.000001F1DF47E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2878015481.000001F1C7603000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2691250880.000002C2AE622000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000003.2727150145.00000189B6E40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2837794159.0000022900236000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.3429292494.0000021080130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2975453753.000001F8BF5B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2720587451.000002C2C6EA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.3032544207.000001F8D8709000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000000.2720639074.000001F8BF4A2000.00000002.00000001.01000000.00000026.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2488230614.000001549D9F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3420501874.0000008223AF1000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2837794159.0000022900020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2389642590.00000229E399B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2881181090.0000024B8446C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2573571076.000001D1345C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2727878966.000002C2C6FA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2564293856.000001D11B690000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2508125557.0000020DA2900000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2272041127.000001E7E7A55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2389642590.00000229E3A0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.3481780585.00000210E9731000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2527964658.0000020DBC9E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2380207514.0000014E175D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2562820603.000001D11B43A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2881181090.0000024B83F27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2389642590.00000229E3980000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2691250880.000002C2AE292000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2870535092.000001F1C63A0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000002.2209595068.0000000004BB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2271356356.000001E7E5F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2720587451.000002C2C6F3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2759549511.000001FA5B513000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2565228250.000001D11BE52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000003.2413527148.000001549DB10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2271356356.000001E7E5FBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2378892380.0000014E16C6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000003.2163906663.0000000004FE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2755903772.000001FA5AAEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2878015481.000001F1C7664000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000000.2747579281.000001E995442000.00000002.00000001.01000000.00000028.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2860370932.0000000E76745000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2562820603.000001D11B45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3425340630.000001E9955BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2716483231.000002C2C6AAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2689025415.000002C2ADAED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000000.2718158766.00000210E9492000.00000002.00000001.01000000.00000024.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2565228250.000001D11BE84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2957965783.0000024229A07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.3008930987.000001F1DF8FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2870623611.000001F1C643B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2716483231.000002C2C6A0D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000000.2465929079.0000020DA27B2000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.3493325722.00000210EA812000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2272041127.000001E7E79D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2378892380.0000014E16C9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2856420159.0000022973181000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2691250880.000002C2AE932000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2881181090.0000024B844B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000002.2798377871.000001A3ADB93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2868146675.0000000E78429000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2508125557.0000020DA290C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2691250880.000002C2AE69E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2272041127.000001E7E79E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2878015481.000001F1C723A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2755903772.000001FA5AAB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.2805107549.0000023442D40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000003.2914528311.0000024229250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2378892380.0000014E16CDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000003.2177235883.00000000047AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2271356356.000001E7E5F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2881181090.0000024B83F53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2807866986.00000189B6E20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2390414349.00000229E40A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2866296752.0000000E777F4000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2381295696.0000014E2FEBC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2807052058.00000189B6BDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2272041127.000001E7E7921000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2575279337.000001D1346B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2837794159.0000022900022000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2975453753.000001F8BF5B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2837794159.000002290023A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2376028304.000001E1AE23E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2376028304.000001E1AE1F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2984388521.000001F8BFA45000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000002.2319039819.0000000004F44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2878015481.000001F1C765E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2878015481.000001F1C70E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2878015481.000001F1C7612000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2509948593.0000020DA3191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2377140928.000001E1AEC73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2875733789.0000024B83646000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.3008930987.000001F1DF898000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2389642590.00000229E39BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2759549511.000001FA5B491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2377140928.000001E1AEC01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2837794159.0000022900230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2837794159.000002290023C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2523329995.0000020DBB9A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2272647183.000001E7FFDB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2988910791.000001F8C0135000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2988910791.000001F8BFFC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.3429292494.0000021080001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2881181090.0000024B840B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2136, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5780, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2268, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 5660, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 6636, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2832, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 1864, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 5280, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 6920, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 5036, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 2120, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 3212, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cscript.exe PID: 4920, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageMonitoring.exe PID: 1548, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 4020, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageSTRemote.exe PID: 2912, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageUpgradeAgent.exe PID: 6796, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 2632, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cscript.exe PID: 6628, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageUpgradeAgent.exe PID: 4048, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageTicketing.exe PID: 5276, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 4608, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3136, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageSystemTools.exe PID: 4900, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageInternalPoller.exe PID: 5336, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Windows\Temp\~DFCA8BC26715A0D8E1.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFC8140AAE6423030D.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI1667.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF94598BD16C89ED3C.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFFA4F8913DFF0E7C1.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF8FDD460FFDACBAD6.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\6d2161.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFF063B7B45E273BCF.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFFAA548B795F06D7A.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI37F9.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI4A4F.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF129758EBB1CE1B55.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF112BA05041C64409.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF7BA34C1BE4D8280E.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFDA9F148306AEE887.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI2828.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\6d216e.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF303EEC30C4652B43.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF449DAD0E18A4D353.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\AteraSetupLog.txt, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF1C99883C032D863A.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI35E4.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI4EF0.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFF71A8BC38C0345C5.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF827FD8DCE6FCC37C.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI2299.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF4EFE6F6754ABCA4D.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\6d2166.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI3099.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFF2E15018D2532D6D.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll, type: DROPPED
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD8B63B9F0 GetModuleHandleW,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,GetLastError,GetProcAddress,OutputDebugStringA,OutputDebugStringA,CorBindToRuntimeEx,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,_snprintf,OutputDebugStringA,37_2_00007FFD8B63B9F0

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity Information1
                                Scripting                                		1
                                Replication Through Removable Media                                		541
                                Windows Management Instrumentation                                		1
                                Scripting                                		1
                                DLL Side-Loading                                		21
                                Disable or Modify Tools                                		OS Credential Dumping2
                                System Time Discovery                                		Remote Services11
                                Archive Collected Data                                		2
                                Encrypted Channel                                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                CredentialsDomainsDefault Accounts1
                                Native API                                		1
                                DLL Side-Loading                                		32
                                Windows Service                                		11
                                Deobfuscate/Decode Files or Information                                		LSASS Memory11
                                Peripheral Device Discovery                                		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                                Email AddressesDNS ServerDomain Accounts1
                                Command and Scripting Interpreter                                		32
                                Windows Service                                		111
                                Process Injection                                		31
                                Obfuscated Files or Information                                		Security Account Manager2
                                File and Directory Discovery                                		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal Accounts11
                                Scheduled Task/Job                                		11
                                Scheduled Task/Job                                		11
                                Scheduled Task/Job                                		1
                                Timestomp                                		NTDS165
                                System Information Discovery                                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud Accounts11
                                Service Execution                                		Network Logon ScriptNetwork Logon Script1
                                DLL Side-Loading                                		LSA Secrets1
                                Query Registry                                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                                File Deletion                                		Cached Domain Credentials681
                                Security Software Discovery                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items123
                                Masquerading                                		DCSync11
                                Process Discovery                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                                Modify Registry                                		Proc Filesystem361
                                Virtualization/Sandbox Evasion                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt361
                                Virtualization/Sandbox Evasion                                		/etc/passwd and /etc/shadow1
                                Application Window Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron111
                                Process Injection                                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                                Rundll32                                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1493599 Sample: SecuriteInfo.com.Program.Re... Startdate: 16/08/2024 Architecture: WINDOWS Score: 100 147 Multi AV Scanner detection for dropped file 2->147 149 Multi AV Scanner detection for submitted file 2->149 151 Yara detected AteraAgent 2->151 153 7 other signatures 2->153 8 msiexec.exe 501 633 2->8         started        12 AteraAgent.exe 2->12         started        15 AteraAgent.exe 2->15         started        17 4 other processes 2->17 process3 dnsIp4 93 C:\Windows\Installer\...\ARPPRODUCTICON.exe, PE32 8->93 dropped 95 C:\Windows\Installer\MSIF717.tmp, PE32 8->95 dropped 97 C:\Windows\Installer\MSIF486.tmp, PE32 8->97 dropped 105 251 other files (225 malicious) 8->105 dropped 161 Sample is not signed and drops a device driver 8->161 19 msiexec.exe 8->19         started        21 AteraAgent.exe 8->21         started        26 msiexec.exe 8->26         started        28 msiexec.exe 8->28         started        139 3.165.136.42 AMAZON-02US United States 12->139 99 C:\...\System.Management.dll, PE32 12->99 dropped 101 C:\...101ewtonsoft.Json.dll, PE32 12->101 dropped 103 C:\...\Microsoft.Win32.TaskScheduler.dll, PE32 12->103 dropped 107 221 other malicious files 12->107 dropped 163 Installs Task Scheduler Managed Wrapper 12->163 30 AgentPackageUpgradeAgent.exe 12->30         started        36 6 other processes 12->36 141 13.35.58.7 AMAZON-02US United States 15->141 143 35.157.63.228 AMAZON-02US United States 15->143 109 27 other malicious files 15->109 dropped 165 Creates files in the system32 config directory 15->165 167 Reads the Security eventlog 15->167 169 Reads the System eventlog 15->169 32 AgentPackageAgentInformation.exe 15->32         started        38 5 other processes 15->38 34 conhost.exe 17->34         started        file5 signatures6 process7 dnsIp8 40 rundll32.exe 19->40         started        44 rundll32.exe 15 9 19->44         started        51 2 other processes 19->51 129 192.229.221.95 EDGECASTUS United States 21->129 77 C:\Windows\System32\InstallUtil.InstallLog, Unicode 21->77 dropped 79 C:\...\AteraAgent.InstallLog, Unicode 21->79 dropped 155 Creates files in the system32 config directory 21->155 157 Reads the Security eventlog 21->157 159 Reads the System eventlog 21->159 47 rundll32.exe 26->47         started        53 2 other processes 28->53 131 20.60.197.1 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->131 81 C:\...\System.ValueTuple.dll, PE32 30->81 dropped 83 C:\Program Files (x86)\...\Pubnub.dll, PE32 30->83 dropped 85 C:\...85ewtonsoft.Json.dll, PE32 30->85 dropped 91 4 other malicious files 30->91 dropped 55 2 other processes 30->55 49 conhost.exe 32->49         started        133 13.107.246.60 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 36->133 135 35.71.184.3 MERIT-AS-14US United States 36->135 137 13.35.58.57 AMAZON-02US United States 36->137 87 C:\Windows\Temp\SplashtopStreamer.exe, PE32 36->87 dropped 89 C:\...\TicketingTray.exe (copy), PE32 36->89 dropped 57 7 other processes 36->57 59 6 other processes 38->59 file9 signatures10 process11 dnsIp12 111 C:\Windows\Installer\...111ewtonsoft.Json.dll, PE32 40->111 dropped 113 C:\...\AlphaControlAgentInstallation.dll, PE32 40->113 dropped 121 2 other files (none is malicious) 40->121 dropped 171 System process connects to network (likely due to code injection or exploit) 40->171 145 40.119.152.241 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 44->145 115 C:\Windows\Installer\...115ewtonsoft.Json.dll, PE32 44->115 dropped 123 3 other files (1 malicious) 44->123 dropped 125 4 other files (2 malicious) 47->125 dropped 117 C:\Windows\Installer\...117ewtonsoft.Json.dll, PE32 51->117 dropped 119 C:\...\AlphaControlAgentInstallation.dll, PE32 51->119 dropped 127 6 other files (2 malicious) 51->127 dropped 61 conhost.exe 53->61         started        63 net1.exe 53->63         started        65 conhost.exe 53->65         started        67 Conhost.exe 55->67         started        69 conhost.exe 57->69         started        71 cscript.exe 57->71         started        73 conhost.exe 59->73         started        75 cscript.exe 59->75         started        file13 signatures14 process15

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi18%ReversingLabsWin32.Trojan.Atera

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                6d2167.rbf (copy)14%ReversingLabsWin32.Trojan.Atera
                                6d2169.rbf (copy)0%ReversingLabs
                                6d216a.rbf (copy)0%ReversingLabs
                                6d216b.rbf (copy)0%ReversingLabs
                                6d216c.rbf (copy)0%ReversingLabs
                                6d216d.rbf (copy)0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe14%ReversingLabsWin32.Trojan.Atera
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.Extensions.ManagedClient.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Binder.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.CommandLine.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.EnvironmentVariables.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.FileExtensions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.UserSecrets.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Physical.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileSystemGlobbing.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Configuration.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Console.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Debug.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventLog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventSource.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.ConfigurationExtensions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Primitives.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Polly.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Hosting.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Logging.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Sinks.File.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\System.Diagnostics.EventLog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll0%ReversingLabs

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                SourceDetectionScannerLabelLink
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                                http://www.symauth.com/cps0(0%URL Reputationsafe
                                http://www.symauth.com/rpa000%URL Reputationsafe
                                http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
                                http://www.w3.o0%URL Reputationsafe
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEPROGRAMMANAGEMENT/23.4/AGENTPACKAGEPROGRAMMANAGE0%Avira URL Cloudsafe
                                https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkgX0%Avira URL Cloudsafe
                                http://repository.swisssign.com/00%Avira URL Cloudsafe
                                http://schemas.datacontract.org0%Avira URL Cloudsafe
                                https://nlog-project.org/0%Avira URL Cloudsafe
                                https://agent-api.atera.com/Production/Agent/track-event0%Avira URL Cloudsafe
                                http://dl.google.com/googletalk/googletalk-setup.exe0%Avira URL Cloudsafe
                                https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/b6d7854f-41ac-4cbe-bd3f0%Avira URL Cloudsafe
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/36.9/AGENTPACKAGEMONITORING.ZIP0%Avira URL Cloudsafe
                                http://ocsp.suscerte.gob.ve00%Avira URL Cloudsafe
                                https://my.splashtop.com/csrs/win0%Avira URL Cloudsafe
                                http://schemas.datacontract.org/2004/07/System.ServiceProcess0%Avira URL Cloudsafe
                                http://www.suscerte.gob.ve/dpc00%Avira URL Cloudsafe
                                http://wixtoolset.org0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip0%Avira URL Cloudsafe
                                https://agent-api.atera.com/Production/Agent/track-event;0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/37.2/AgentPackageAgentInformati0%Avira URL Cloudsafe
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEHEARTBEAT/17.14/AGENTPACKAGEHEARTBEAT.ZIP0%Avira URL Cloudsafe
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.AVAILABILITY/0.16/AGENT.PACKAGE.AVAILABILITY.Z0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller0%Avira URL Cloudsafe
                                http://acontrol.atera.com/0%Avira URL Cloudsafe
                                https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Nhttps://agent.azureservi0%Avira URL Cloudsafe
                                https://agent-api.atera.com/Production/Agent/dynamic-fields/0%Avira URL Cloudsafe
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLE0%Avira URL Cloudsafe
                                https://westeurope-5.in.applicationinsights.azure.com/;LiveEndpoint=https://westeurope.livediagnosti0%Avira URL Cloudsafe
                                https://api.nuget.org/v3-flatcontainer/eo.webbrowser/24.1.46/eo.webbrowser.24.1.46.nupkg0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAg0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip0%Avira URL Cloudsafe
                                https://download.splashtop.com0%Avira URL Cloudsafe
                                http://my.splashtop.com0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip0%Avira URL Cloudsafe
                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c496ece2-e20a-4cf9-ba56-08036f2428080%Avira URL Cloudsafe
                                https://agent-api.atera.com0%Avira URL Cloudsafe
                                https://dc.services.visualstudio.com/f0%Avira URL Cloudsafe
                                https://www.nuget.org/packages/NLog.Web.AspNetCore0%Avira URL Cloudsafe
                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=8d578304-aa0b-447e-a1ba-1575ff7024e40%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageA0%Avira URL Cloudsafe
                                http://www.w3.oh0%Avira URL Cloudsafe
                                https://agent.azureserviceprofiler.net/0%Avira URL Cloudsafe
                                https://agent-api.atera.com/Production/Agent/GetCommands0%Avira URL Cloudsafe
                                http://nlog-project.org/ws/0%Avira URL Cloudsafe
                                https://urn.to/r/sds_see0%Avira URL Cloudsafe
                                https://ps.atera.com/a0%Avira URL Cloudsafe
                                http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.39/AgentPackageMonitoring.z0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip0%Avira URL Cloudsafe
                                http://crl2.postsignum.cz/crl/psrootqca4.crl010%Avira URL Cloudsafe
                                https://my.splashtop.com0%Avira URL Cloudsafe
                                http://cacerts.digicert.0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip?qTzK5d0%Avira URL Cloudsafe
                                http://www.abit.com.tw/0%Avira URL Cloudsafe
                                https://system.data.sqlite.org/X0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.90%Avira URL Cloudsafe
                                https://agent-api.atera.com/Production/Agent/recurringCommandResult0%Avira URL Cloudsafe
                                http://crl3.digi0%Avira URL Cloudsafe
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMARKETPLACE/1.4/AGENTPACKAGEMARKETPLACE.ZIP0%Avira URL Cloudsafe
                                https://github.com/dotnet/runtime0%Avira URL Cloudsafe
                                https://agent-api.atera.com/Production/Agent/AcknowledgeCommands0%Avira URL Cloudsafe
                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=338b493c-8884-4a60-9494-ddd5a039e2df0%Avira URL Cloudsafe
                                https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exe0%Avira URL Cloudsafe
                                https://agent-api.atera.com/Production/Agent/CommandResultRecurring/AgentPackageTicketingInstallHelp0%Avira URL Cloudsafe
                                https://agent-api.P0%Avira URL Cloudsafe
                                https://github.com/JamesNK/Newtonsoft.Json0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/22.0/AgentPackageSTRemote.zip0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/37.2/AgentPackageAgentInformation0%Avira URL Cloudsafe
                                https://github.com/dotnet/runtimeR0%Avira URL Cloudsafe
                                https://ps.pndsn.com/v2/subscrib0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/26.8/AgentPackageUpgradeAgent.zip?q0%Avira URL Cloudsafe
                                https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39580%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/22.0/AgentPackageSTRemote.zip?qTzK5ds0W0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/26.8/AgentPackageUpgradeAgent.zip0%Avira URL Cloudsafe
                                https://ps.pndsn0%Avira URL Cloudsafe
                                http://www.datev.de/zertifikat-policy-std00%Avira URL Cloudsafe
                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7b72fdb2-5d79-4ed6-a424-b987ddb98d4d0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Wat0%Avira URL Cloudsafe
                                https://www.sqlite.org/copyright.html20%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAge0%Avira URL Cloudsafe
                                https://agent-api.atera.com/Production/Agent/thresholds/b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc10%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip?qTzK50%Avira URL Cloudsafe
                                https://agent-api.atera.com/Production/Agent/guiComm0%Avira URL Cloudsafe
                                https://api.nuget.orgP0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.z0%Avira URL Cloudsafe
                                https://agent-api.atera.com/Prhx0%Avira URL Cloudsafe
                                https://agent-api.atera.com/Production/Agent/Trace0%Avira URL Cloudsafe
                                https://system.data.sqlite.org/0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitoring.zip0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAgentIn0%Avira URL Cloudsafe
                                https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exepUsers/Shared/Splashtop0%Avira URL Cloudsafe
                                https://agent-api.aterDR0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/26.8/AgentPackageSystemTools.zip?qTz0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.ziph0%Avira URL Cloudsafe

                                Domains and IPs

                                Contacted Domains

                                No contacted domains info

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://ocsp.suscerte.gob.ve0AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6E70000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.datacontract.orgAteraAgent.exe, 0000000D.00000002.2272041127.000001E7E79E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/b6d7854f-41ac-4cbe-bd3fAteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE622000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2A1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6CD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEPROGRAMMANAGEMENT/23.4/AGENTPACKAGEPROGRAMMANAGEAteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkgXAgentPackageTicketing.exe, 00000033.00000002.3452803258.000001E995CFF000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://nlog-project.org/AgentPackageMonitoring.exe, 00000025.00000002.2526694956.0000020DBBC58000.00000002.00000001.01000000.00000021.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2524990348.0000020DBBB82000.00000002.00000001.01000000.00000021.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent-api.atera.com/Production/Agent/track-eventrundll32.exe, 00000005.00000002.2209595068.0000000004B11000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2209595068.0000000004BB4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2319039819.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2319039819.0000000004F44000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://dl.google.com/googletalk/googletalk-setup.exeAteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6F3A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000000.2354318537.000001E1AE042000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.14.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://repository.swisssign.com/0AteraAgent.exe, 0000000E.00000002.2727878966.000002C2C6FA6000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/36.9/AGENTPACKAGEMONITORING.ZIPAteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C723A000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.suscerte.gob.ve/dpc0AteraAgent.exe, 0000000E.00000002.2720587451.000002C2C6E70000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.datacontract.org/2004/07/System.ServiceProcessAteraAgent.exe, 0000000D.00000002.2272041127.000001E7E79E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://my.splashtop.com/csrs/winAgentPackageSTRemote.exe, 0000002A.00000000.2718158766.00000210E9492000.00000002.00000001.01000000.00000024.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://wixtoolset.orgrundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi, 6d2163.msi.2.dr, ateraAgentSetup64_1_8_7_2.msi.44.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.AVAILABILITY/0.16/AGENT.PACKAGE.AVAILABILITY.ZAteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zipAteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE26C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE292000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6CD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEHEARTBEAT/17.14/AGENTPACKAGEHEARTBEAT.ZIPAteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent-api.atera.com/Production/Agent/track-event;rundll32.exe, 00000005.00000002.2209595068.0000000004BF6000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2319039819.0000000004F86000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/37.2/AgentPackageAgentInformatiAteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE5D0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE382000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2E4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6CD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstallerAteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE26C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://acontrol.atera.com/AteraAgent.exe, 0000000D.00000000.2226925972.000001E7E5D12000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE1F1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6BF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent-api.atera.com/Production/Agent/dynamic-fields/AgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BE84000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zipAteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6CD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerundll32.exe, 00000005.00000002.2209595068.0000000004B11000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2209595068.0000000004BB4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE1F1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2319039819.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2319039819.0000000004F44000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2377140928.000001E1AEC83000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2380207514.0000014E1764F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6BF1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BC61000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BE84000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2509948593.0000020DA327D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000028.00000002.2881181090.0000024B840B6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.3429292494.0000021080078000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002C.00000002.2988910791.000001F8BFFC1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000033.00000002.3452803258.000001E995C81000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 0000003A.00000002.2837794159.0000022900022000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Nhttps://agent.azureserviAgentPackageSystemTools.exe, 00000038.00000002.2810184843.000001A3C6B62000.00000002.00000001.01000000.00000032.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLEAteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://my.splashtop.comAgentPackageSTRemote.exe, 0000002A.00000002.3429292494.00000210801BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://api.nuget.org/v3-flatcontainer/eo.webbrowser/24.1.46/eo.webbrowser.24.1.46.nupkgAgentPackageTicketing.exe, 00000033.00000002.3452803258.000001E995CFF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000033.00000002.3451431497.000001E995C52000.00000002.00000001.01000000.0000003D.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://westeurope-5.in.applicationinsights.azure.com/;LiveEndpoint=https://westeurope.livediagnostiAgentPackageTicketing.exe, 00000033.00000002.3451431497.000001E995C52000.00000002.00000001.01000000.0000003D.sdmp, AgentPackageSystemTools.exe, 00000038.00000002.2806671115.000001A3AE4A1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSystemTools.exe, 00000038.00000000.2789734652.000001A3ADAC2000.00000002.00000001.01000000.0000002D.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAgAteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE546000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://download.splashtop.comAgentPackageSTRemote.exe, 0000002A.00000002.3429292494.000002108021B000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zipAteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE26C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.symauth.com/cps0(stvideo.dll.2.dr, XDColMan.dll.2.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://agent-api.atera.comrundll32.exe, 00000004.00000003.2163906663.0000000004FE3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2209595068.0000000004B11000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2209595068.0000000004BB4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000453B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE611000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE1F1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE587000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE470000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6A1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2319039819.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2319039819.0000000004F44000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2377140928.000001E1AEC83000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2380207514.0000014E1764F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6BF1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BE16000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BE55000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BC61000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.nuget.org/packages/NLog.Web.AspNetCoreAgentPackageMonitoring.exe, 00000025.00000002.2526694956.0000020DBBC58000.00000002.00000001.01000000.00000021.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2524990348.0000020DBBB82000.00000002.00000001.01000000.00000021.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c496ece2-e20a-4cf9-ba56-08036f242808AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://dc.services.visualstudio.com/fAgentPackageSystemTools.exe, 00000038.00000002.2810184843.000001A3C6B62000.00000002.00000001.01000000.00000032.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.w3.ohAteraAgent.exe, 0000000D.00000002.2272041127.000001E7E79E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=8d578304-aa0b-447e-a1ba-1575ff7024e4AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6C77000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent-api.atera.com/Production/Agent/GetCommandsAteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE274000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAAteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE546000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent.azureserviceprofiler.net/AgentPackageSystemTools.exe, 00000038.00000002.2810184843.000001A3C6B62000.00000002.00000001.01000000.00000032.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.symauth.com/rpa00stvideo.dll.2.dr, XDColMan.dll.2.drfalse
                                • URL Reputation: safe
                                		unknown
                                http://nlog-project.org/ws/AgentPackageMonitoring.exe, 00000025.00000002.2524990348.0000020DBBB82000.00000002.00000001.01000000.00000021.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesTAgentPackageMonitoring.exe, 00000025.00000002.2524990348.0000020DBBB82000.00000002.00000001.01000000.00000021.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/aAteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://urn.to/r/sds_seeAgentPackageMonitoring.exe, 00000025.00000002.2527496737.0000020DBBD22000.00000002.00000001.01000000.00000023.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE26C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.39/AgentPackageMonitoring.zAteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6B6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zipAteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://crl2.postsignum.cz/crl/psrootqca4.crl01AteraAgent.exe, 0000000E.00000002.2727878966.000002C2C7068000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://my.splashtop.comAgentPackageSTRemote.exe, 0000002A.00000002.3429292494.0000021080130000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://cacerts.digicert.AgentPackageAgentInformation.exe, 00000015.00000002.2377783987.000001E1C735F000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip?qTzK5dAteraAgent.exe, 0000001B.00000002.2878015481.000001F1C74F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://system.data.sqlite.org/XAgentPackageMonitoring.exe, 00000025.00000002.2527845052.0000020DBBD84000.00000002.00000001.01000000.00000023.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE292000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://crl3.digiAteraAgent.exe, 0000000D.00000002.2270925191.000001E780449000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.abit.com.tw/AgentPackageMonitoring.exe, 00000025.00000002.2522397227.0000020DBB8F2000.00000002.00000001.01000000.0000001E.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent-api.atera.com/Production/Agent/recurringCommandResultAgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BE16000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BE55000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000028.00000002.2881181090.0000024B840B6000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMARKETPLACE/1.4/AGENTPACKAGEMARKETPLACE.ZIPAteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://github.com/dotnet/runtimeMicrosoft.Extensions.Primitives.dll.27.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent-api.atera.com/Production/Agent/AcknowledgeCommandsAteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=338b493c-8884-4a60-9494-ddd5a039e2dfAteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://crl.thawte.com/ThawteTimestampingCA.crl0stvideo.dll.2.dr, hidkmdf.sys.2.dr, XDColMan.dll.2.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exeAgentPackageSTRemote.exe, 0000002A.00000002.3429292494.0000021080130000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000000.2718158766.00000210E9492000.00000002.00000001.01000000.00000024.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zipAteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE26C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/22.0/AgentPackageSTRemote.zipAteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6CD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent-api.atera.com/Production/Agent/CommandResultRecurring/AgentPackageTicketingInstallHelpAgentPackageTicketing.exe, 00000033.00000002.3452803258.000001E995C81000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent-api.PAgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BED6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BE84000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.w3.oAteraAgent.exe, 0000000D.00000002.2272041127.000001E7E79E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/37.2/AgentPackageAgentInformationAteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE5D0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://github.com/JamesNK/Newtonsoft.Jsonrundll32.exe, 00000004.00000003.2163906663.0000000005014000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2177235883.00000000047DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2212091771.000000000456C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE470000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2276609080.0000000004BCA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2376908557.000001E1AEAE2000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C7612000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2526812896.0000020DBBC62000.00000002.00000001.01000000.00000022.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2761445310.000001FA73B60000.00000002.00000001.01000000.0000002A.sdmp, rundll32.exe, 00000037.00000003.2790379772.0000000000C2D000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.pndsn.com/v2/subscribAteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://github.com/dotnet/runtimeRMicrosoft.Extensions.Configuration.Abstractions.dll.27.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/26.8/AgentPackageUpgradeAgent.zip?qAteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C73E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zipAteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE26C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE292000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7b72fdb2-5d79-4ed6-a424-b987ddb98d4dAteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/22.0/AgentPackageSTRemote.zip?qTzK5ds0WAteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/26.8/AgentPackageUpgradeAgent.zipAteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6CD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.pndsnAteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE611000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6AE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6B6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE587000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE59A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE622000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.datev.de/zertifikat-policy-std0AteraAgent.exe, 0000000E.00000002.2716483231.000002C2C6A0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.WatAteraAgent.exe, 0000001B.00000002.2878015481.000001F1C74F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.sqlite.org/copyright.html2AgentPackageMonitoring.exe, 00000025.00000002.2546374200.00007FFD8B794000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent-api.atera.com/Production/Agent/thresholds/b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1AgentPackageMonitoring.exe, 00000025.00000002.2509948593.0000020DA327D000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.WATCHDOG/1.5/AGENT.PACKAGE.WATCHDOG.ZIPAteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C74F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAgeAteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE660000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip?qTzK5AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C723A000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://agent-api.atera.com/Production/Agent/guiCommAgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BED6000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://agent-api.atera.com/PrhxAgentPackageAgentInformation.exe, 0000001E.00000002.2565228250.000001D11BED6000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://api.nuget.orgPAgentPackageTicketing.exe, 00000033.00000002.3452803258.000001E995CFF000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://agent-api.atera.com/Production/Agent/TraceAteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.zAteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6CD7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://system.data.sqlite.org/AgentPackageMonitoring.exe, 00000025.00000002.2527496737.0000020DBBD22000.00000002.00000001.01000000.00000023.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitoring.zipAteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAgentInAteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE5D0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE2E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exepUsers/Shared/SplashtopAgentPackageSTRemote.exe, 0000002A.00000000.2718158766.00000210E9492000.00000002.00000001.01000000.00000024.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://agent-api.aterDRrundll32.exe, 00000011.00000002.2319039819.0000000004F44000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.ziphAteraAgent.exe, 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/26.8/AgentPackageSystemTools.zip?qTzAteraAgent.exe, 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  13.35.58.57
                                  		unknownUnited States
                                  		16509AMAZON-02USfalse
                                  40.119.152.241
                                  		unknownUnited States
                                  		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                  35.157.63.228
                                  		unknownUnited States
                                  		16509AMAZON-02USfalse
                                  35.71.184.3
                                  		unknownUnited States
                                  		237MERIT-AS-14USfalse
                                  192.229.221.95
                                  		unknownUnited States
                                  		15133EDGECASTUSfalse
                                  13.35.58.7
                                  		unknownUnited States
                                  		16509AMAZON-02USfalse
                                  20.60.197.1
                                  		unknownUnited States
                                  		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                  3.165.136.42
                                  		unknownUnited States
                                  		16509AMAZON-02USfalse
                                  13.107.246.60
                                  		unknownUnited States
                                  		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                  General Information

                                  Joe Sandbox version:40.0.0 Tourmaline
                                  Analysis ID:1493599
                                  Start date and time:2024-08-16 00:33:13 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 13m 55s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:72
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Sample name:SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.evad.winMSI@99/776@0/9
                                  EGA Information:
                                  • Successful, ratio: 16.7%
                                  HCA Information:
                                  • Successful, ratio: 58%
                                  • Number of executed functions: 484
                                  • Number of non-executed functions: 6
                                  Cookbook Comments:
                                  • Found application associated with file extension: .msi

                                  Warnings

                                  • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe
                                  • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 1864 because it is empty
                                  • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 5280 because it is empty
                                  • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 6920 because it is empty
                                  • Execution Graph export aborted for target AteraAgent.exe, PID 5036 because it is empty
                                  • Execution Graph export aborted for target AteraAgent.exe, PID 5660 because it is empty
                                  • Execution Graph export aborted for target AteraAgent.exe, PID 6636 because it is empty
                                  • Execution Graph export aborted for target rundll32.exe, PID 2136 because it is empty
                                  • Execution Graph export aborted for target rundll32.exe, PID 2268 because it is empty
                                  • Execution Graph export aborted for target rundll32.exe, PID 2832 because it is empty
                                  • Execution Graph export aborted for target rundll32.exe, PID 5780 because it is empty
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                  • Report size getting too big, too many NtSetInformationFile calls found.
                                  • Report size getting too big, too many NtSetValueKey calls found.
                                  • Skipping network analysis since amount of network traffic is too extensive
                                  • VT rate limit hit for: SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  00:35:04Task SchedulerRun new task: Monitoring Recovery path: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe s>schedulerrun
                                  18:34:11API Interceptor2x Sleep call for process: rundll32.exe modified
                                  18:34:16API Interceptor1400x Sleep call for process: AteraAgent.exe modified
                                  18:34:28API Interceptor36x Sleep call for process: AgentPackageAgentInformation.exe modified
                                  18:34:39API Interceptor18x Sleep call for process: AgentPackageMonitoring.exe modified
                                  18:35:04API Interceptor1059x Sleep call for process: AgentPackageSTRemote.exe modified
                                  18:35:10API Interceptor8241x Sleep call for process: AgentPackageTicketing.exe modified
                                  18:35:14API Interceptor1x Sleep call for process: AgentPackageInternalPoller.exe modified
                                  18:35:26API Interceptor7x Sleep call for process: AgentPackageUpgradeAgent.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  40.119.152.2414PP--0001S4D8S_DANFE000S1AS4SD5555522A1111.msiGet hashmaliciousAteraAgentBrowse
                                    setup_it_security (1).msiGet hashmaliciousAteraAgentBrowse
                                      SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msiGet hashmaliciousAteraAgentBrowse
                                        Adobe.msiGet hashmaliciousAteraAgentBrowse
                                          SecuriteInfo.com.Program.RemoteAdminNET.1.29844.msiGet hashmaliciousGhostRatBrowse
                                            VirginMediaBill26012020.msiGet hashmaliciousGhostRatBrowse
                                              cqIMFiGPGW.msiGet hashmaliciousUnknownBrowse
                                                setup.msiGet hashmaliciousUnknownBrowse
                                                  1.msiGet hashmaliciousUnknownBrowse
                                                    XLS_Confirmer.msiGet hashmaliciousUnknownBrowse
                                                      35.157.63.2284PP--0001S4D8S_DANFE000S1AS4SD5555522A1111.msiGet hashmaliciousAteraAgentBrowse
                                                        Guidelines_for_Citizen_Safety.msiGet hashmaliciousAteraAgentBrowse
                                                          forumapp.msiGet hashmaliciousAteraAgentBrowse
                                                            SecuriteInfo.com.Program.RemoteAdminNET.1.29844.msiGet hashmaliciousGhostRatBrowse
                                                              VirginMediaBill26012020.msiGet hashmaliciousGhostRatBrowse
                                                                https://www.hctc.app/2ff42844-f75c-416d-b7ab-3d4167f2c303Get hashmaliciousHTMLPhisherBrowse
                                                                  cqIMFiGPGW.msiGet hashmaliciousUnknownBrowse
                                                                    setup.msiGet hashmaliciousUnknownBrowse
                                                                      1.msiGet hashmaliciousUnknownBrowse
                                                                        XLS_Confirmer.msiGet hashmaliciousUnknownBrowse
                                                                          35.71.184.34PP--0001S4D8S_DANFE000S1AS4SD5555522A1111.msiGet hashmaliciousAteraAgentBrowse
                                                                            digitalform.msiGet hashmaliciousAteraAgentBrowse
                                                                              192.229.221.95AGREEMENT AND APPROVAL REPORT DIAMOND TRAILER 2024-502244_6.5.248.pdfGet hashmaliciousUnknownBrowse
                                                                              • cacerts.rapidssl.com/RapidSSLTLSRSACAG1.crt

                                                                              Domains

                                                                              No context

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              AMAZON-02UShttp://dapp-cuteid.cvnlab.com/Get hashmaliciousUnknownBrowse
                                                                              • 18.239.18.4
                                                                              http://shopmarket.vip/Get hashmaliciousUnknownBrowse
                                                                              • 18.239.50.123
                                                                              http://pub-d5e93dec79ef46339a6d95797a6e99df.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                                                                              • 18.192.231.252
                                                                              http://bafybeihs36fbluauydrnkud564pe2tpwgr2ywdc3dpcsqckwnkkykol6ci.ipfs.dweb.link/Get hashmaliciousUnknownBrowse
                                                                              • 13.35.58.104
                                                                              http://free-4916789.webadorsite.com/Get hashmaliciousUnknownBrowse
                                                                              • 34.252.40.201
                                                                              https://bt-104892.weeblysite.com/Get hashmaliciousUnknownBrowse
                                                                              • 18.239.83.10
                                                                              http://dpd-hr.receiving-delivery.com/track/5294558215/Get hashmaliciousUnknownBrowse
                                                                              • 18.239.69.29
                                                                              http://webmail-santafe-conicets-gov-ar.netlify.app/Get hashmaliciousUnknownBrowse
                                                                              • 13.32.118.108
                                                                              http://bafybeigd6xw6xkxemkyjhr4rui52i5opkasiwjgftfv2gc3xzjyaf4bheu.ipfs.dweb.link/Get hashmaliciousUnknownBrowse
                                                                              • 18.239.36.4
                                                                              http://pub-e5923fdb678444df9f6257a5b7324303.r2.dev/saxc.htmlGet hashmaliciousUnknownBrowse
                                                                              • 18.192.231.252
                                                                              MICROSOFT-CORP-MSN-AS-BLOCKUShttp://dmyll.gvaca.my.id/Get hashmaliciousUnknownBrowse
                                                                              • 13.107.246.60
                                                                              https://share.teamforms.app/form/YTI2ZDk1ODItZjAwMC00Nzc5LWEyNTgtYTAwOTYzMDc2YjE5OmY0YWNiYTkzLTJkZjEtNGFkMS04N2E4LWM4ODRiZGRlMjI3NjpiMDc1ODBhZS01MTRkLTRmYzEtODliZS1hNWEyYjVjYWI4N2U=Get hashmaliciousHTMLPhisherBrowse
                                                                              • 52.104.59.25
                                                                              DocuSign__Important_rksolutions_Document_Requires_Your_Signature.emlGet hashmaliciousUnknownBrowse
                                                                              • 13.107.246.60
                                                                              http://pthelp.topGet hashmaliciousScreenConnect Tool, HTMLPhisherBrowse
                                                                              • 20.190.159.75
                                                                              http://pthelp.topGet hashmaliciousScreenConnect ToolBrowse
                                                                              • 20.189.173.21
                                                                              http://n1sh4.definsecret.top/contactosGet hashmaliciousUnknownBrowse
                                                                              • 40.114.177.156
                                                                              https://ddec1-0-en-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fmembers.commutewithenterprise.com%2f%23%2flogin&umid=50273c7f-d264-4387-b764-cf4885dc5853&auth=6ec521ede5feedb16a344a55d6b657efa55978c4-50f32b08063b83d955a760a45dbfe093f616808dGet hashmaliciousUnknownBrowse
                                                                              • 13.107.246.45
                                                                              DocuSign_ Important tel Document Requires Your Signature.emlGet hashmaliciousUnknownBrowse
                                                                              • 20.42.73.27
                                                                              Gelita_IT_Support.docxGet hashmaliciousUnknownBrowse
                                                                              • 13.107.246.60
                                                                              https://a.squareupmessaging.com/CL0/https:%2F%2Fapp.squareup.com%2Fpay-invoice%2Finv:0-ChCBcP-hx0NI0mjukeA8BOx6EJ8L%2F/1/010101914e21c174-f4de2308-9e4f-4270-adfb-4eb38d77987f-000000/su_HRC1RHiluG6keDkJgUjByK7Xm-iuqELWcUZMSJm0=366Get hashmaliciousUnknownBrowse
                                                                              • 51.104.148.203
                                                                              AMAZON-02UShttp://dapp-cuteid.cvnlab.com/Get hashmaliciousUnknownBrowse
                                                                              • 18.239.18.4
                                                                              http://shopmarket.vip/Get hashmaliciousUnknownBrowse
                                                                              • 18.239.50.123
                                                                              http://pub-d5e93dec79ef46339a6d95797a6e99df.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                                                                              • 18.192.231.252
                                                                              http://bafybeihs36fbluauydrnkud564pe2tpwgr2ywdc3dpcsqckwnkkykol6ci.ipfs.dweb.link/Get hashmaliciousUnknownBrowse
                                                                              • 13.35.58.104
                                                                              http://free-4916789.webadorsite.com/Get hashmaliciousUnknownBrowse
                                                                              • 34.252.40.201
                                                                              https://bt-104892.weeblysite.com/Get hashmaliciousUnknownBrowse
                                                                              • 18.239.83.10
                                                                              http://dpd-hr.receiving-delivery.com/track/5294558215/Get hashmaliciousUnknownBrowse
                                                                              • 18.239.69.29
                                                                              http://webmail-santafe-conicets-gov-ar.netlify.app/Get hashmaliciousUnknownBrowse
                                                                              • 13.32.118.108
                                                                              http://bafybeigd6xw6xkxemkyjhr4rui52i5opkasiwjgftfv2gc3xzjyaf4bheu.ipfs.dweb.link/Get hashmaliciousUnknownBrowse
                                                                              • 18.239.36.4
                                                                              http://pub-e5923fdb678444df9f6257a5b7324303.r2.dev/saxc.htmlGet hashmaliciousUnknownBrowse
                                                                              • 18.192.231.252
                                                                              MERIT-AS-14UShttp://telstra-101285.weeblysite.com/Get hashmaliciousUnknownBrowse
                                                                              • 35.71.131.137
                                                                              http://inc-104832.weeblysite.com/Get hashmaliciousUnknownBrowse
                                                                              • 35.71.131.137
                                                                              https://a.squareupmessaging.com/CL0/https:%2F%2Fapp.squareup.com%2Fpay-invoice%2Finv:0-ChCAVqvt4miNS5jeuQ7W1VyrEM4I%2F/1/01010191525394e6-a5ecb68c-a9e3-49aa-85c5-87d43ecc42bc-000000/Sg9Cw_t6OCH2cF81dDTX6ZmKjSOgHd-CIkKwrAGJwzk=366Get hashmaliciousUnknownBrowse
                                                                              • 35.71.131.137
                                                                              https://sdgdfgg.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                                              • 35.71.131.137
                                                                              https://multichainfix.pages.dev/chunks/patterns/promopath.html/Get hashmaliciousUnknownBrowse
                                                                              • 35.71.131.137
                                                                              SecuriteInfo.com.Trojan.Siggen17.20398.5292.22718.exeGet hashmaliciousUnknownBrowse
                                                                              • 35.82.18.48
                                                                              https://www.hitpaw.com/hitpaw-video-enhancer.htmlGet hashmaliciousUnknownBrowse
                                                                              • 35.71.131.137
                                                                              teste.arm.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                                                              • 35.100.69.254
                                                                              http://uphuld-logini.github.io/Get hashmaliciousUnknownBrowse
                                                                              • 35.71.131.137
                                                                              https://ashanioliver14.wixsite.com/my-site-1Get hashmaliciousUnknownBrowse
                                                                              • 35.71.131.137

                                                                              JA3 Fingerprints

                                                                              No context

                                                                              Dropped Files

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              6d2167.rbf (copy)4PP--0001S4D8S_DANFE000S1AS4SD5555522A1111.msiGet hashmaliciousAteraAgentBrowse
                                                                                setup_it_security (1).msiGet hashmaliciousAteraAgentBrowse
                                                                                  Guidelines_for_Citizen_Safety.msiGet hashmaliciousAteraAgentBrowse
                                                                                    SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msiGet hashmaliciousAteraAgentBrowse
                                                                                      forumapp.msiGet hashmaliciousAteraAgentBrowse
                                                                                        Adobe.msiGet hashmaliciousAteraAgentBrowse
                                                                                          VANTAGENS_BBCLIENTES00001S4D444400000S.msiGet hashmaliciousAteraAgentBrowse
                                                                                            2cFFfHDG7D.msiGet hashmaliciousAteraAgentBrowse
                                                                                              2503.msiGet hashmaliciousAteraAgentBrowse
                                                                                                AdobeAcrobat2.1.2.msiGet hashmaliciousAteraAgentBrowse

                                                                                                  Created / dropped Files

                                                                                                  6d2167.rbf (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):145968
                                                                                                  Entropy (8bit):5.874150428357998
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                  MD5:477293F80461713D51A98A24023D45E8
                                                                                                  SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                  SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                  SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 14%
                                                                                                  Joe Sandbox View:
                                                                                                  • Filename: 4PP--0001S4D8S_DANFE000S1AS4SD5555522A1111.msi, Detection: malicious, Browse
                                                                                                  • Filename: setup_it_security (1).msi, Detection: malicious, Browse
                                                                                                  • Filename: Guidelines_for_Citizen_Safety.msi, Detection: malicious, Browse
                                                                                                  • Filename: SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi, Detection: malicious, Browse
                                                                                                  • Filename: forumapp.msi, Detection: malicious, Browse
                                                                                                  • Filename: Adobe.msi, Detection: malicious, Browse
                                                                                                  • Filename: VANTAGENS_BBCLIENTES00001S4D444400000S.msi, Detection: malicious, Browse
                                                                                                  • Filename: 2cFFfHDG7D.msi, Detection: malicious, Browse
                                                                                                  • Filename: 2503.msi, Detection: malicious, Browse
                                                                                                  • Filename: AdobeAcrobat2.1.2.msi, Detection: malicious, Browse
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                  6d2168.rbf (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1442
                                                                                                  Entropy (8bit):5.076953226383825
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                  MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                  SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                  SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                  SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                  Malicious:false
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                  6d2169.rbf (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):215088
                                                                                                  Entropy (8bit):6.030864151731967
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                  MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                  SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                  SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                  SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                  6d216a.rbf (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):710192
                                                                                                  Entropy (8bit):5.96048066969898
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                  MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                  SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                  SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                  SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                  6d216b.rbf (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):602672
                                                                                                  Entropy (8bit):6.145404526272746
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                  MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                  SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                  SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                  SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                  6d216c.rbf (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):73264
                                                                                                  Entropy (8bit):5.954475034553661
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                  MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                  SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                  SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                  SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                  6d216d.rbf (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3318832
                                                                                                  Entropy (8bit):6.534876879948643
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                  MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                  SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                  SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                  SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                  C:\Config.Msi\6d2161.rbs

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8905
                                                                                                  Entropy (8bit):5.6620491970575335
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:Hj+xz1ccbTOOeMe8m61d7r6IHfd7r6kAVv70HVotBVeZEmzmYpLAV774OpY95r:HaD2cNpNtiB2iA
                                                                                                  MD5:4BC6E21EE634BD53FD4BE62AEF11630B
                                                                                                  SHA1:4FBBBAD51639BF2C9FFF69014E10312E97D1C3F6
                                                                                                  SHA-256:1EB7EBB54C584E723EF28FB6E85A445D0E849C541A7A06322DE5058D70E5DB9B
                                                                                                  SHA-512:431E18746A6C28A50C35B944333F20955F6798E6F10DBD36DE31E4C9780DC706D8D63AC64800FD6FC23A30CF35B9BC575C7E13BA6B4A28A1BA198255771517F3
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\6d2161.rbs, Author: Joe Security
                                                                                                  Preview:...@IXOS.@.....@G..Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent6.SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{E732A0D7-A2F2-4657-A

                                                                                                  C:\Config.Msi\6d2166.rbs

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):9571
                                                                                                  Entropy (8bit):5.567497865041754
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:9j+GccRwbLCsgRqbLCMDp17qEVl0HSLALtyD0qagukGGhaKfmbHt1fC+k8rEcZ:9a4R2gRkdRKKT+BT
                                                                                                  MD5:6BAD26B80EF6E6FFC8B6A4D32CD92782
                                                                                                  SHA1:8F72E519A239234C3501DBB7CFA086DB565AD968
                                                                                                  SHA-256:0BA937E5CE2BB48A704362C2246B1814378916B0E0A30EB232257F1563B1BC5F
                                                                                                  SHA-512:054EE5411C6ECEE64352F5817CBF79C1A39080B742E608080A8A29318BD3378C076B7D52B9529B9743025A38A8F7B06D3843D101D02BED009E4B8138DFF9E040
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\6d2166.rbs, Author: Joe Security
                                                                                                  Preview:...@IXOS.@.....@i..Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent6.SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....InstallInitialize$..@....z.Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7D0A237E2F2A7564CA141B792446E854\Transforms...@....(.$..@....@.Software\Microsoft\Windows\CurrentVersion\Installer\TempPackages...@....(.&...C:\Windows\Installer\6d2162.msi..#0$..@......Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7D0A237E2F2A7564CA141B792446E854\InstallPropertiesx.....\...l.............H.........?...................9...................?........... ... ........... ... ................@....%...AuthorizedCDFPrefix%...Comments%...Contact%...Dis

                                                                                                  C:\Config.Msi\6d216e.rbs

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8767
                                                                                                  Entropy (8bit):5.653316935502748
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:9y7wo+fncHMeY1j6ITj6k7s5VNpkxYpLso:9Po+fncHsjVjtSNpkcP
                                                                                                  MD5:67E148E95F3667AEF20E37E6BC19E98F
                                                                                                  SHA1:F59D30C4CE63934739FAB4B6A62EE0104702FE6D
                                                                                                  SHA-256:2F4348EDFEC231EF8CAD086F12D49D9CF4C4575AF34E9E2E0AF2D16BC2DF3420
                                                                                                  SHA-512:06EEF14B5199842BB94274A4E529D6179274244D7F3895502FCC279D55D460D06FB6D8EED7C0C963A928CCBEAAE8273DFEAD6D8D8A3E274ED02B7B6879C04A0F
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\6d216e.rbs, Author: Joe Security
                                                                                                  Preview:...@IXOS.@.....@l..Y.@.....@.....@.....@.....@.....@......&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}..AteraAgent..ateraAgentSetup64_1_8_7_2.msi.@.....@.....@.....@........&.{911E9E2F-B38D-4D02-A148-5E49FC9D8943}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......

                                                                                                  C:\Config.Msi\6d2172.rbs

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):75963
                                                                                                  Entropy (8bit):5.7337794617394975
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:HJXeqjCyEgH2bQzxW5wM/wt/JBQKwHhrRUL2l+Jq4599oefeIubJZrQ1vMF8EkdX:qSn
                                                                                                  MD5:BDE4E3B76C59EB6D717DFFA71F55D829
                                                                                                  SHA1:960B3EC317E7C6D06BB0AFFB31844208320AA8D2
                                                                                                  SHA-256:888170D0C3D38B14C5FE812E58CBF408F52787C3BD7DCBCD06EB284FE4246DFD
                                                                                                  SHA-512:A28816FF5645D1A143F41CE8F554E1D53708FAF465682ABA2B407CE23B4DDB3BC4CDC91F1F486CB6E669E26138002C8ABEDD4866437BCFC83F5DD87FACD6B958
                                                                                                  Malicious:false
                                                                                                  Preview:...@IXOS.@.....@z..Y.@.....@.....@.....@.....@.....@......&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}..Splashtop Streamer..setup.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{1FFB34B4-02B4-4EEE-ACA4-24941A8EDEE5}.....@.....@.....@.....@.......@.....@.....@.......@......Splashtop Streamer......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{3D8827C3-3F73-4AD7-9420-7CA93653C8F2}&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}.@......&.{61B538AB-B209-C01B-F95C-B0A0531054D2}&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}.@......&.{3742F778-8BAC-9729-A5BE-712DA9BEB95A}&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}.@......&.{ADBB7064-411F-E593-D901-EACB3BA8154E}&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}.@......&.{06653204-4010-8C69-AD0A-982273468010}&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}.@......&.{76FB8673-364C-25A7-DEC2-3C43D0343A02}&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}.@......&.{944490A2-222A-67EA-5532-3CEF12

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):753
                                                                                                  Entropy (8bit):4.853078320826549
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                  MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                  SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                  SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                  SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, Author: Joe Security
                                                                                                  Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):7466
                                                                                                  Entropy (8bit):5.1606801095705865
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                  MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                  SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                  SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                  SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                  Malicious:false
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):145968
                                                                                                  Entropy (8bit):5.874150428357998
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                  MD5:477293F80461713D51A98A24023D45E8
                                                                                                  SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                  SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                  SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 14%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1442
                                                                                                  Entropy (8bit):5.076953226383825
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                  MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                  SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                  SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                  SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                  Malicious:true
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3318832
                                                                                                  Entropy (8bit):6.534876879948643
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                  MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                  SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                  SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                  SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):215088
                                                                                                  Entropy (8bit):6.030864151731967
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                  MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                  SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                  SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                  SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):710192
                                                                                                  Entropy (8bit):5.96048066969898
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                  MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                  SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                  SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                  SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability.zip

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1345342
                                                                                                  Entropy (8bit):7.999087415296336
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:24576:P6qarBXIu143emJM2e03hHsPi7+QfGIjn5xgFxNybKJvTDSJSH:cVI81mOZ8tsu+MjnrAsimY
                                                                                                  MD5:F2E653E517216BAE6EE1866E56C93541
                                                                                                  SHA1:C9CFE52AEA1FC5026437162E5CD6EC5AFDDCDB23
                                                                                                  SHA-256:1A76544543CA4CCDD3981F517E93E316EF3EEFA677ABBDDB19AC94B9AD8EC613
                                                                                                  SHA-512:7AC34473A4B50991344DE76186B249DA8753FE01C4F1C344CF17136D157A8847A34047D1E492BB74F9B877DDDE155D6E503067FEF2DCCED6F7795B5EDEB97DDD
                                                                                                  Malicious:false
                                                                                                  Preview:PK.........:rX................Agent.Package.Availability/PK.........:rXO......L...?...Agent.Package.Availability/Agent.Package.Availability.deps.jsons........&|+.[a....k...F.?.y.ef........N..|..D.....I..;4.p...Q....yQ...v.H..2..BK.<:c...%.u....P6..... .".Lhh.~.. ..,.$OGI.37.P...7.o..4.t?......\.h...i.L..........._.k-JAw..{..<.;1V..bm.....|.q...2...g...Oi..a..Z....Q..&G.........dM......H.^......Gx\n1k....D.^..DA..5.Ou.e@.h.|.g...).}.._J.g.S...z...F..F.'..R..7}!]C.l.n6.O>-...w0.c...`7&P....VY.N.....%.2.....w.,".t4..Yi..<".M..dG.'.5.f/.f.c.uG.xDlo.%..A.....bD3b.dix..O...re.J.}....FO..jE..T.....H.......t.W...N.`..@.K. 7..-4.#..!...%;t*...aM.,2.a...(.Z..E#...g.op.3.p-*"......mh..-h..k|#. M..S)}.).V.Ze.z.8.ku..)u4...Ch.2.D...x.6...~|........|I.8|...S..h.w.N.9..f.i0.R-....Y...q..;3.. J+..N>.....7>....e.R.6'...Q.Mf.?....+w.....Yu..r...L..].H.....N...H...~=Fj....5.....B.D.B..K....<.q.<c...D..j..U.....<..M.....M.Ns..]5.]......W...?J.Z..R.N..."L5.%|hU..n.}..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.deps.json

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:JSON data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32588
                                                                                                  Entropy (8bit):4.9960910032419115
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:YMiXbLuNFLgxnzeynrL390PbFM1Orsc+eQjBy6qY2871Yu9IM8yzI:YHX+CRN0PbG1Orsc7QqYR71YyIM8II
                                                                                                  MD5:30FD970122DC4F600AB043C1F2EAA9DF
                                                                                                  SHA1:73ECB0343F13193E1647169994E856B85B3E8A80
                                                                                                  SHA-256:B9AEC2BF04C19AEDE9F089947337F4A72F4D9D9107499D06489220B78965945A
                                                                                                  SHA-512:070C5B9976289C7EF84D01BCEC81E87B538F0251048FDEAD99EB8CBFC4CCE5AE9F3072D0F5AD79B1BB49CF3C78858581627636035772F875B132044FCBAEA0E3
                                                                                                  Malicious:false
                                                                                                  Preview:{.. "runtimeTarget": {.. "name": ".NETCoreApp,Version=v6.0",.. "signature": "".. },.. "compilationOptions": {},.. "targets": {.. ".NETCoreApp,Version=v6.0": {.. "Agent.Package.Availability/0.16": {.. "dependencies": {.. "Atera.Agent.Package.Infrastructure": "1.0.0",.. "MQTTnet": "4.1.2.350",.. "MQTTnet.Extensions.ManagedClient": "4.1.2.350".. },.. "runtime": {.. "Agent.Package.Availability.dll": {}.. }.. },.. "Microsoft.Extensions.Configuration/6.0.0": {.. "dependencies": {.. "Microsoft.Extensions.Configuration.Abstractions": "6.0.0",.. "Microsoft.Extensions.Primitives": "6.0.0".. },.. "runtime": {.. "lib/netstandard2.0/Microsoft.Extensions.Configuration.dll": {.. "assemblyVersion": "6.0.0.0",.. "fileVersion": "6.0.21.52210".. }.. }.. },.. "Microsoft.Extensions.Configuration.Abstractions/6.0.0": {..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):64080
                                                                                                  Entropy (8bit):6.320286768676932
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:9pU+qNEN8hGUdlhkjqMCgoGIxBNPlaWxk4TKZ08gDT7iC6gW3GIXtHEje4bEpYin:DU+CkuMChNPlakNcgD8ge1+JU7Hxz1
                                                                                                  MD5:E863A6AB8AA66CDFDB72085FF29C8945
                                                                                                  SHA1:3018DAFFFA623BC8404E1D0AE990B3B58E502455
                                                                                                  SHA-256:8168DF0CFF719BB10F2A03EC220788C931DA3E5EFA02030011AFF5B48F888D36
                                                                                                  SHA-512:62C0623C9E2BD66A3C1469BE3D2B7D36CB52364181D38400A6F27EE0600DA98DE921F49EBCDC2EB6A49D2CC0C2FFE4287D7587020162DEBDD54209CC89108350
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....z..........."...0.................. ........@.. .......................@............`.....................................O.......................P(... ......d................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......8^...z..........L.................................................(....*^.(.......J...%...}....*:.(......}....*:.(......}....*...0..7.........(....}A......}B......}@.....|A.....(...+..|A...(....*..(....*..0...........(....o.......(....*..(......}......o....r...p(....}....*....0..7.........(....}W......}X......}V.....|W.....(...+..|W...(....*..0..?.........(....}\......}]......}^......}[.....|\.....(...+..|\...( ...*..0..7.........(!...}b......}c......}a.....|b.....(..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):160336
                                                                                                  Entropy (8bit):6.2128348726246605
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:6czkitvo4BpYN/6mBPry8TXROLdW5m4mUR39OOGO0kLxD:6A4NCmBPry/N2jOO7r
                                                                                                  MD5:EEB8806784553B29F5E8CE3F3566C452
                                                                                                  SHA1:588702EDD2CAE4FB11558E967BA88F1D4AA0B92E
                                                                                                  SHA-256:AA2322E40481D38DF9976C34A564932262EE08E72FD76465ADBCC04545BEEB8F
                                                                                                  SHA-512:88378E2190D813E788121DB814AC9B49FF12E489780CF46CDA770794D3EDF64075E1C73F2C1EFD29265EE71FDCB13A06A0DE0C29747773636FD3DE28ADA6E2D1
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}.............../......./......./.....a.....S../........"...I../....I../....Rich............................PE..d......e..........".................`<.........@....................................3.....`.................................................t$...............`..@....J..P(..............T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data........@......................@....pdata..@....`.......&..............@..@_RDATA...............<..............@..@.reloc...............>..............@..B.rsrc................B..............@..@........................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.ini

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14
                                                                                                  Entropy (8bit):3.8073549220576055
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:WhVLD:WDLD
                                                                                                  MD5:9A7D20AAA012D185DB528C72378B0ACB
                                                                                                  SHA1:CD17C5DDB04E5CBAEBA56BB883B2BD0BF8C529DE
                                                                                                  SHA-256:CBA7D06C662A6601164CBC5A0F4086E247DC1ACA7CCF2F72F4443C88DDB29095
                                                                                                  SHA-512:961707F9926401EED9FDF892484527D253514F336B2AEF0A450184EE125DB940823E933739ABED422BC97B37E4094EFB3C9C355154F86984EB36508ED28BEE90
                                                                                                  Malicious:false
                                                                                                  Preview:version=0.16..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.runtimeconfig.json

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:JSON data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):253
                                                                                                  Entropy (8bit):4.585549446641918
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:3Hp/hdNyhAkI/XCkyFNOJeZS1sHZeQ6NOCUo+K8EkNTy:dFkp5MeU1s5hex+K8Es2
                                                                                                  MD5:24E4653829DE1022D01CD7DDD26E2F22
                                                                                                  SHA1:9160A009CB381E044BA4C63E4435DA6BFEB9DC6D
                                                                                                  SHA-256:DED3AEB5856A11DB0B654A785574490CAB55839EBFB17EFE9E39B89618FC5B91
                                                                                                  SHA-512:EFD4BBBA1BAEC0B47003831510E3AA539DB9EF468E0F06BA9D7BA6D0B3800035F7C818D7D90171BFD377EC97D08C4617555BCFF635DD83EFCEB412B1A9CCA820
                                                                                                  Malicious:false
                                                                                                  Preview:{.. "runtimeOptions": {.. "tfm": "net6.0",.. "framework": {.. "name": "Microsoft.NETCore.App",.. "version": "6.0.0".. },.. "configProperties": {.. "System.Reflection.Metadata.MetadataUpdater.IsSupported": false.. }.. }..}

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):59472
                                                                                                  Entropy (8bit):6.232150161817101
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:W36VpFishtGAb2BAst2t1z2C0qePts2+lpmjouk3KmGT1S3k7ZJSEpYinAMxCcOO:rFan4tkC0qH2ip2ouXm21oGJz7HxnOO
                                                                                                  MD5:2E0FAEE04F8632291F811074ADD4C253
                                                                                                  SHA1:0BAE9ACC374F92683691B335325A88FFA3B4109A
                                                                                                  SHA-256:2CEB68FE0E177998268E78FCB45065A2B53ED4E8E74F751B6AA993CC2AEACDE5
                                                                                                  SHA-512:A312A2B8689202032DDDF5240EF5092977F47BCCF19D0D1568D392EBD51040989453FFF1DB8B7F637E672843E701DD88BEFD80158F3209C089BC08670B7B8B2E
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dll, Author: Joe Security
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R.%..........." ..0.............Z.... ........... ....................... .......b....`.....................................O.......t...............P(........................................................... ............... ..H............text...`.... ...................... ..`.rsrc...t...........................@..@.reloc..............................@..B................<.......H.......4P................................................................{....*..{....*..{....*r.(......}......}......}....*....0..Y........u........L.,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o....*.*.*....0..K....... M.. )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o....X*..0...........r...p......%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....(!...*..{"...*:.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.Extensions.ManagedClient.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):54352
                                                                                                  Entropy (8bit):6.249382958975322
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:yjPkdaG23BdHAnoekKhbdzn9kpWcwfRLzfoZrx6nnPMfm8XoJE5GtSdhEpYinAM8:IPGShI7mW1ZoZrcn0e0oJ4GtuK7Hxe
                                                                                                  MD5:59E6366CBB001376D03B59886F8CC984
                                                                                                  SHA1:A9B93839F4960D0E8CFAAEE15439083615AC14AC
                                                                                                  SHA-256:902725DBF9F7950D1A4A4F0057CAE5E14816F0ED686BF2422C03561AB13DA870
                                                                                                  SHA-512:DC77203DCF26337FA34094F1C954128ECC3C9C72F0F53B46598F6272012749A523AE38C5EE6D55376084568C2D97FB07104EA1D703318231517924FC7BD095D9
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\............" ..0.............V.... ........... ....................... ............`.....................................O.......x...............P(..............T............................................ ............... ..H............text...\.... ...................... ..`.rsrc...x...........................@..@.reloc..............................@..B................6.......H........Z...c............................................................(....*^.(.......V...%...}....*:.(......}....*:.(......}....*..(......%-.&r...ps....z}......}....*..{....*..{....*v.(......%-.&r...ps....z}....*..{....*V.(......}......}....*..{....*..{....*..{....*"..}....*..{....*"..}....*J.(....}.....(....*&..}.....*&..}.....*.0..)........-.r'..ps....zs.......o......o....}.....*..{....-.r7..ps....zs/...%.{....o,...%.{....o....*J.(....}.....(....*...0...........s....}.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):311888
                                                                                                  Entropy (8bit):6.173014844115743
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:+F0eAyIQXbKwPMF83GUN/7a3zyROhmogpE2/M3jw:+8QLKwPMKGUuBhh33jw
                                                                                                  MD5:6B314E447AD16EF4B8CBAA6CFF589F74
                                                                                                  SHA1:86647A26123AED74F2222E95C310C6186B03908E
                                                                                                  SHA-256:065EAB6C73BD96467BBC02FC3763DA01C7FB7065368C15E93192EA2F71975BE7
                                                                                                  SHA-512:131591A60F8C6251465F8BD103ABD499EDCE850BEE97AFB58A37B2ACFFACFEFDC93EB0EDBBF426220B9C9CAAE0A6212AAD5665A70F913FB96751CBB234A718D4
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ..............................f.....`....................................O.......................P(..............T............................................ ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.........................................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..0...........{....-..{....(....,.r...ps....zs....%.{....o....%.{....o....%.{....o....%.{....o....%.{....o....%.{....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Abstractions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):26192
                                                                                                  Entropy (8bit):6.56959956590535
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:vm++Js0qJ63NU17qtlR9iaTG/0wEzRjz6sMHJhOnAWM/aWsrNWUNyb8E9VF6IYiD:+lso3W7qHypd//SHEpYinAMxCsB
                                                                                                  MD5:568B70E6ACC43FA5D6D1B748323B7100
                                                                                                  SHA1:33C1E279743914ECAAD4BF3F3581D1914260C8F9
                                                                                                  SHA-256:1951AC489A3A924874B67DA82E7DB6C0F4BC599E3C38A8E6EDE0A5C33DD45391
                                                                                                  SHA-512:EAAB9BA61D0ED958C6D1A4DF0E95CE5AE2FFCD6A6E6C9FAE5522902FB72586EE16EEF397D94B3625B820113976ABC8F7DABFB55999B8802988D9B20201BC5C66
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..2...........Q... ...`....... ..............................t.....`................................./Q..O....`...............>..P(...........P..T............................................ ............... ..H............text....1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............<..............@..B................cQ......H.......X'...#.......... K..p....O.......................................~....*..0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r...p......%...%...("...*...((...*.(....,.r...p......%...%...%...("...*....()...*.(....,"r...p......%...%...%...%..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Binder.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):34896
                                                                                                  Entropy (8bit):6.492292235898413
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:IRnQyuN61yKW1Guh2dIewN3czA8i1KraoAEpYinAMxCU6:IdgA1yKW1L0dkNc081+oJ7Hxw
                                                                                                  MD5:7AEC82F5B955AB320971CF18B13D63E1
                                                                                                  SHA1:C7BDA552D6C44FF7F5546AF6BAEAF0DAB0A6C278
                                                                                                  SHA-256:6D46A7EC7CC3DF3663B359F54F0F7B9B47EFED4AEF728C6DE117091F3838AB9B
                                                                                                  SHA-512:622E1E8373AC5641D0B6C77FF80A422D4A18EED790BBBE675C48A970318736862EFDBE28829A53AA631F8D387A10D14EC86FF748D4F33183CF6D331C47CAC426
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....E..........." ..0..V...........u... ........... ....................................`..................................u..O....................`..P(...........t..T............................................ ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............^..............@..B.................u......H.......p/...9..........Hi.......t........................................(....*^.(.......5...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...( ...*.(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.CommandLine.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24144
                                                                                                  Entropy (8bit):6.681463392080136
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:T9FrztnCvZrlMIPTlLn9by3WKbW97nW2Nyb8E9VF6IYinAM+oCut8X7De7uA:Tbztn2AmxniKnEpYinAMxCZeX
                                                                                                  MD5:63CC618B9FEC8C9503DE8EDB5B7FE6EE
                                                                                                  SHA1:C994A8DFD89F5C4329744A589D35AF40B610F6B9
                                                                                                  SHA-256:5C5D3B9FAA3E3D3310BEC715473C58D490FD285344B95A381A7F46E19216FE66
                                                                                                  SHA-512:96C4F352951320309EC880F3C8BE6558633226DB577D51A22C7EE7B6EA2CF9960AF3B10D826F59DC80E14350BE684FE0836F1A31B19714C98475633BB3919D1C
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K.$..........." ..0..,...........K... ...`....... ..............................pu....`.................................uK..O....`...............6..P(..........XJ..T............................................ ............... ..H............text....+... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B.................K......H........%...............B.......I........................................(....*^.(.......(...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.EnvironmentVariables.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19536
                                                                                                  Entropy (8bit):6.730982430474166
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:SsGu6f0Ux3STFWUQeWmNyb8E9VF6IYinAM+oC/tUlUK7:SsGuWRTuEpYinAMxCWlUU
                                                                                                  MD5:E82CC9FD71064E072AE181432720A909
                                                                                                  SHA1:22FBE31E07A80B1B8DB0B97A3978ACCBBDBB0455
                                                                                                  SHA-256:842D59E7D1116B4072B2A18667EA381E7D2E449F14CABD89DB495EC3B4E4BEB5
                                                                                                  SHA-512:682DE1D3AAD5E08A78F7B55524B47926BDF2C249ADA483341DCE021BF1C21EF9EC1BD67BEC24230823253ED51251D5F20FA388E055B88CB5BF35275BAABB36B9
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3Y..........." ..0.............~8... ...@....... ....................................`.................................+8..O....@...............$..P(...`.......6..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................_8......H........"......................|6......................................:.s....o....&.*V.s....%.o....o....&.*"..(...+*J.(.....~....}....*^.(......%-.&~....}....*2.(....(....*..(....o....r...p.{....r...p(....*.0../.......(....s......o.....8.....o.......(....t ........r...p.o ...,.r...p..r7..p..+n.re..p.o ...,.re..p..r...p..+P.r...p.o ...,.r...p..r...p..+2.r...p.o ...,.r...p..+....(......(!...t ...(....+N...o"...o#...(.......r...p.($.....(!...t ...(......,...r...p.r...p(%.....(

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.FileExtensions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):27216
                                                                                                  Entropy (8bit):6.556776563317454
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:6Y5JfZB7plLDwLx0umTZXA/XABRfhzWqr6WpNyb8E9VF6IYinAM+oCeB8euvQ7:/rd8Y0wRhzpEpYinAMxCeXL
                                                                                                  MD5:F52ACA731FD999D93962B96D86E6B4FA
                                                                                                  SHA1:BE07B77866379A49FED237471F232CBE348A1BA1
                                                                                                  SHA-256:924B4D2E997C16CE54101D05E8E7298F3D0D0FC9611957CEB5738C7224909DCC
                                                                                                  SHA-512:A5EDE09FAE3ABE0FE68F7D04BFC3A382FD0875BD87F4B80465DDB8C0645E4B9AA9FE6DAC5BE18B1F1E5CA32869E00E481103AD4A308AAE2208F857C90D0F4ACC
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<d..........." ..0..8...........V... ...`....... ..............................S.....`.................................?V..O....`...............B..P(...........U..T............................................ ............... ..H............text....6... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B................sV......H.......P(...&..........lN..0....T........................................(....*^.(.......,...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):26704
                                                                                                  Entropy (8bit):6.562781030074369
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:yI2/cK/FWwbGXC8e1lje1l6RWkb2W+Nyb8E9VF6IYinAM+oCE1sD:yI2/cqFWwSl6hXuEpYinAMxCrD
                                                                                                  MD5:63072DC72E16744763AB647135C09C60
                                                                                                  SHA1:7241FA172D6B5F06AE99FA4112EF981010489797
                                                                                                  SHA-256:5DA668B31F3E78DBCB3FA2D261694944DE451C757D62AD57173EF7B1637DA7D8
                                                                                                  SHA-512:076906EC35DF1550467E4B2B7070D87F2EE84605D595699E9BC0376681A5637BBB9EC1B1A0933419EDC81F807637767D68ACD1ECAFF0EAAFCADE425DCDD0D762
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....^............" ..0..6...........T... ...`....... ....................................`................................./T..O....`..l............@..P(.......... S..T............................................ ............... ..H............text....4... ...6.................. ..`.rsrc...l....`.......8..............@..@.reloc...............>..............@..B................cT......H.......|'..t#...........J.......R........................................(....*^.(.......6...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..( ...*.*.(....,.r...p......%...%...(....*...(!...*.(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.UserSecrets.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25680
                                                                                                  Entropy (8bit):6.5096189037099315
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:sw6kebL1iFn6d6E1oE1LdAAW9ACWHNyb8E9VF6IYinAM+oCvcTE920l:AZbcWus/EpYinAMxCgc
                                                                                                  MD5:19DAA869DFDD8A67F4F7EEE1C955C7D1
                                                                                                  SHA1:3BA0358E9619ED1686A73E8955EBE0C4A61D6EDD
                                                                                                  SHA-256:F2AB144E0B9DA3689BC1AFE5AFD8721BBB523EC01C1299176FB5EB11A4B9FCBA
                                                                                                  SHA-512:0F42E9AF420A8E0A7547E7D172B4E0238698FFEBF65494F1C4C241E90CEEF53F7238A7423A216B8A86366EF16050B5836FDAEC63570BA468BE1CE5973C27DDB5
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Z..........." ..0..2..........6P... ...`....... ....................................`..................................O..O....`...............<..P(...........N..T............................................ ............... ..H............text...<0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B.................P......H.......x%..d............C..h...DN........................................(....*^.(.......!...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):37456
                                                                                                  Entropy (8bit):6.451863278895808
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:gi4PV4eWxaVsQLqyCekI/q/xGljjEpYinAMxCkmg:gaVxa2QXUxajc7Hxpj
                                                                                                  MD5:A2B120986B4BB34F8BFA9ACF877A6581
                                                                                                  SHA1:3E759CE7F93835E8EF7E5F5685A64BBC77FE69A4
                                                                                                  SHA-256:DB4B3ECF1812E0BAF0326A94553049FE9DD613613FF344331A8C4A5BF6D062D8
                                                                                                  SHA-512:74C787EE77B34159ABC3FFD2CFE75B6855D03415F2E7334F5FD5BF20436B6BF10A65F9BB97143B631E3A56EAFD79D214489B3C393D48321E53DE88518CFF070A
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..`............... ........... ....................................`..................................~..O....................j..P(...........}..T............................................ ............... ..H............text... _... ...`.................. ..`.rsrc................b..............@..@.reloc...............h..............@..B.................~......H.......@6..p@...........v......@}........................................(....*^.(.......8...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r...p......%...%...("...*...((...*.(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.Abstractions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):44624
                                                                                                  Entropy (8bit):6.263023686004545
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:X8+cxuPn//hpz2XCkCkCdvAb4b4qox06OoV0F8l0HCTpw0wo0emqEpYinAMxCm5w:M+cxuPn/bvvE0Q0HCNfBsL7HxLG
                                                                                                  MD5:8F23259BF8157AA26FE2BB5697CDE18F
                                                                                                  SHA1:14E9EA552451E4EA72D77D124FE1330D6F352E26
                                                                                                  SHA-256:836863E3C12887EF2BED748EA63903C47DB9D42FDDAB607CD0BA47981A2F7FD8
                                                                                                  SHA-512:98FE8F297F1834DC09926E1B3E8AE37EAB8DF183F913453A81A779A10DB0FF93E4F3FE895206C857E15A62882C7EC32121D27A33CA3413B645E9E70A3A3F263E
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9t............" ..0..z............... ........... ....................................`.....................................O.......................P(..............T............................................ ............... ..H............text....z... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B.......................H........>...M..............H.............................................(....*^.(.......B...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......( ...-..,..*.*.(....,.r...p......%...%...(!...*..("...*.(....,.r...p......%...%...%...(!...*...(#...*.(....,!r...p......%...%...%...%...(!...*....($...*..,&(....,..r...pr...p.(!...(%...*..(&...*.*.(....,.r...p......%...%...(!...*...('...*.(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):82512
                                                                                                  Entropy (8bit):6.280844319966934
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:ENLmvi666OjIX0h9zMPvHBWCaRweUG4DynjEZnB87Hxk:K66fjLb8vH0CiUG4DyneB8S
                                                                                                  MD5:10D7DB14873F7D90062ED05370F74608
                                                                                                  SHA1:E57473D9CAF6417BEEE24AD59226F0DB6D9A2596
                                                                                                  SHA-256:5A6E417DFC3349517D74CB22B220B5EDCF5AA7CAFBF858FE21F49ED0C9FCBF8E
                                                                                                  SHA-512:D74EEB2A584D10E71582B1EA8CFF08C4968333CF620FE60AF61206375BD7CDC498104DEAA0082EFC47FE850D44FBED5031E3C69301CB3C41D3C70CA1805921AE
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5............" ..0.............N.... ...@....... ...................................`..................................-..O....@..................P(...`.......,..T............................................ ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................-.......H.......pj.............@...0...p,........................................(#...*^.(#......p...%...}....*:.(#.....}....*:.(#.....}....*:.(#.....}....*.~....*.0..........(....,..*..(.....o$......&...*...................0...........(.......(%...-..,..*.*.(....,.r...p......%...%...(&...*..('...*.(....,.r...p......%...%...%...(&...*...((...*.(....,!r...p......%...%...%...%...(&...*....()...*..,&(....,..r...pr...p.(&...(*...*..(+...*.*.(....,.r...p......%...%...(&...*...(,...*.(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Abstractions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22096
                                                                                                  Entropy (8bit):6.574986500526706
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:5lfkJv/RYTWl6+MTxMufuMc8CWsbhWVNyb8E9VF6IYinAM+oCUUF:5lcJnRYTwIjJ6mEpYinAMxCd
                                                                                                  MD5:A2E5939939DEC7631230F0CED43CACAB
                                                                                                  SHA1:2946F6E44885EA041D307E6B535D21F4594487FC
                                                                                                  SHA-256:BA54C5630AE9E7994E5489C7DA9A80E4E3C9CC46921BA9EC9B3B625E35011FFB
                                                                                                  SHA-512:0A9130E542F4E127CA3BDD51D64EC75DB8793C66815CBB6FD17B5C8788594C0FD7EC7CD7730DAF84BA275A35DC95F9B56FE73A25189B4C538CDEB289696EA94E
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.."..........r@... ...`....... ....................................`..................................@..O....`..................P(...........?..T............................................ ............... ..H............text...x ... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............,..............@..B................S@......H.......T#..............H:..@....>.......................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Physical.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):43600
                                                                                                  Entropy (8bit):6.435989681911625
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:uHxWCQ4MPJG3cOeeapdUgsWflN+Qu5cEpYinAMxCT:uHxW58re3pdUqN5u517HxA
                                                                                                  MD5:5B11E661BC8B53F6886776E6C0AF024E
                                                                                                  SHA1:644BCFAD4D5DE8ABB74A692DB728C6EB4EA5DCEB
                                                                                                  SHA-256:2F329F4B16D0F1DFA1CFF2DD699F6B28F30F45F61F6AF8B393CB7A13358B0E20
                                                                                                  SHA-512:EB3F13885303313697B347F330F102A8C6467A3AAC402FE0110993B4B7ABB3FC42387A50933E4B466CEA614C4B0434A9C94A04CB1229691F7E4AC87DCF4AA276
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....8..........." ..0..x............... ........... ....................................`.................................g...O.......p...............P(..........X...T............................................ ............... ..H............text....v... ...x.................. ..`.rsrc...p............z..............@..@.reloc..............................@..B........................H........:...P...........................................................(....*^.(.......O...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..( ...*.(....,.r...p......%...%...%...(....*...(!...*.(....,!r...p......%...%...%...%...(....*....("...*..,&(....,..r...pr...p.(....(#...*..($...*.*.(....,.r...p......%...%...(....*...(%...*.(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileSystemGlobbing.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):45136
                                                                                                  Entropy (8bit):6.356515470188593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:LlwMU3jMMSPNueKQWjRUILOK2Ksf/qSCgHgUsJJEpYinAMxC8:LuMUJqLWjRHFtsHqSCgHgUsJy7Hxj
                                                                                                  MD5:EE514D62931BB1B8D2F76597F4B5AAC2
                                                                                                  SHA1:F9052A124653BA28CE8ACB3DFF1DA7E261CEB92D
                                                                                                  SHA-256:6C0F0AA4A3772448A688AB8E086861DE8026E3D8A97EF4A8D513AA9E5535246C
                                                                                                  SHA-512:74CAA313BD77D88CB9EAA5E35E6388B32734E605DBB514130F1FCBE03FF4D7D1D7F9EE884F97975BAF2FE7D76072D9056116FA6BBB59C0786513354B589993EE
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.:..........." ..0..~............... ........... ....................................`.....................................O.......H...............P(..............T............................................ ............... ..H............text....|... ...~.................. ..`.rsrc...H...........................@..@.reloc..............................@..B.......................H........C...O..........H.......8.........................................(....*^.(.......9...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r...p......%...%...("...*...((...*.(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.Abstractions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):28752
                                                                                                  Entropy (8bit):6.5663544647348155
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:sfGp7YacaEaVNbG12flBF76euwMw0tXXVfFQkzsG9kni7QXRdQWibdWPNyb8E9Vv:owVNz9BF76ejMbmHXRQAEpYinAMxCxu
                                                                                                  MD5:451165A322F6BDFAB22D2640CFEBD88D
                                                                                                  SHA1:E0D874B7FC80611581E745AD721540A3A20C7E1D
                                                                                                  SHA-256:A982218CD6CEDB1DE7D4286C8B4E785F16A59AF06F780A88D250CFC41DA3B941
                                                                                                  SHA-512:227B4D98A758E13AE84453E7FE2B3970D95EE195192DC147B51316F73F5B6CFD68E629DA15A314AECA19084B3A9A080D7E6D4E6D3826D070F7081EA8E8BDC7F4
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....+............" ..0..>...........]... ...`....... ...............................7....`..................................]..O....`..8............H..P(...........\..T............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...8....`.......@..............@..@.reloc...............F..............@..B.................]......H.......p,.../...................\......................................:.(......}....*..{....*6.(...+(.....*:..(...+(.....*..{....*.0..J.......... ...%... ...(....}.......{....o....o....}.....{....o....,..{....*( ...*...0..?.........(!...}"......}#......}$......}!.....|".....(...+..|"...(#...*F.{....%-.&*($...*..(%...*~r...p.....r...p.....r)..p.....*~r...p.....r...p.....r)..p.....*v.(%.....%-.&r?..ps&...z}....*..{....*"..}....*..{....*"..}....*..{....*~rU..p.....ru..p.....r.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):56400
                                                                                                  Entropy (8bit):6.30490980453766
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:uBu8CE7AFg+0ITvhADGmnnbaTfP63+R3u9q09ejEpYinAMxC881:ucfWA2+DjaD/nnba+3uwq09ec7HxS1
                                                                                                  MD5:6A78A125A2E3E232E5CA99DFC52F5BAB
                                                                                                  SHA1:B9926C0419472F8BCC5DD23532E29C1DA34EE17A
                                                                                                  SHA-256:DE00084D93DDC8DF65BF23D70DCE1F9DFAF4277C381EED19E9F96A18D1A77C57
                                                                                                  SHA-512:624873C03967886E4C6A628034B0ED7C7747CCFD32641194F4F5B8827D3555DC28590533B69D03F2597F218CD010E5D70B0CED024736B20ADDC68367346EF494
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ....................... ............`.................................=...O.......................P(..........L...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................q.......H........G..Tu..........................................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...( ...*.(....,!r...p......%...%...%...%...(....*....(!...*..,&(....,..r...pr...p.(....("...*..(#...*.*.(....,.r...p......%...%...(....*...($...*.(....,.r...p......%...%...%...(....*....(%...*.(....,"r...p......%...%...%...%..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Abstractions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):63056
                                                                                                  Entropy (8bit):6.287321950681953
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:J+UfRQY8PGNWovMLJYBjtLgnuAAAAAknwd45FnrfMq1/yJuoiYblHJg6GOmDulEh:J+tY8PIiq51wcFnDMsno7jRma+7Hxd
                                                                                                  MD5:55EBC669459FCC49F58F96F9003B9ADB
                                                                                                  SHA1:B00BC54B8BB572A91E6B5449CA7E161244806895
                                                                                                  SHA-256:718EF8C135AEB2C5B248F433758441503CC3F42E70946666608AFF3AEE495DFA
                                                                                                  SHA-512:AF18059F3E3E4304FB877FDF2ED61D53D072BB2B3D8E1EBA0D4B74ACD04108063F7853054BBF97A93850821A543A57FEE02E0252C8AFD409335F916B56D0A2BE
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@............`.....................................O.......................P(... ..........T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........N.................P...(.........................................(&...*^.(&......J...%...}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*.~....*.0..........(....,..*..(.....o'......&...*...................0...........(.......((...-..,..*.*.(....,.r...p......%...%...()...*..(*...*.(....,.r...p......%...%...%...()...*...(+...*.(....,!r...p......%...%...%...%...()...*....(,...*..,&(....,..r...pr...p.()...(-...*..(....*.*.(....,.r...p......%...%...()...*...(/...*.(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Configuration.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):27728
                                                                                                  Entropy (8bit):6.551086012985974
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Y/r0yw26S3QgV/UxNmsUspvnipmgNRLGc3WxsBU7RWBzNyb8E9VF6IYinAM+oCfX:8r0j26i92L6zBU7uEpYinAMxCP
                                                                                                  MD5:234B690507F9FAB8A2AE2DDED1357C17
                                                                                                  SHA1:27B4B381DDA5DB266AC6318B410BF25EA9F8A7F1
                                                                                                  SHA-256:7A4598E103896F4F5CDE4FE1C1A9F2D1535C26F8D1A4F97C9332EF3C40A439D1
                                                                                                  SHA-512:28362763CA8F620217DA4E9ABCE43CCEB0FE952B09AFFD240EF1B8327424FD09E255CEDAFBABF48D0D9691D81A5B07F3BF345947AB5567E41E8F47CE5ADDB9F0
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Dv2..........." ..0..:..........bX... ...`....... ..............................M.....`..................................X..O....`..L............D..P(...........V..T............................................ ............... ..H............text...h8... ...:.................. ..`.rsrc...L....`.......<..............@..@.reloc...............B..............@..B................AX......H........&..X+...........R..`...xV.......................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Console.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):51280
                                                                                                  Entropy (8bit):6.367904513182944
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:fTGWFIlYoY5b3OxMZnndnnennnnnnRt3nV+JEtpzU+uujK2lBJqFsSjKcb7SEpYc:fiKIe9JyvSCG2l+NX7Hxheo
                                                                                                  MD5:D024BA9294E580CE20266BE92144CE21
                                                                                                  SHA1:C84A8789B37D8A086FD9750E92F870CC271DBBF2
                                                                                                  SHA-256:207592672324F9B89D88DAA01E18A9501FFDA351908FADFFA1D38FE779594524
                                                                                                  SHA-512:EECE0E3FDDE38170CA8F9B5E154224EA317314B97D8C87E3F501D50C3059F5CD39E0D45272279F523430206219D474E3F8AA4754B23489218DBE007E433DA3C6
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....D..........." ..0.................. ........... ....................................`.................................1...O.......L...............P(..........0...T............................................ ............... ..H............text........ ...................... ..`.rsrc...L...........................@..@.reloc..............................@..B................e.......H........C..Hl..........H...h.............................................("...*^.("......X...%...}....*:.(".....}....*:.(".....}....*:.(".....}....*.~....*.0..........(....,..*..(.....o#......&...*...................0...........(.......($...-..,..*.*.(....,.r...p......%...%...(%...*..(&...*.(....,.r...p......%...%...%...(%...*...('...*.(....,!r...p......%...%...%...%...(%...*....((...*..,&(....,..r...pr...p.(%...()...*..(*...*.*.(....,.r...p......%...%...(%...*...(+...*.(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Debug.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19024
                                                                                                  Entropy (8bit):6.636376636323213
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Ev+kBD/v7WJZVMWUBNyb8E9VF6IYinAM+oCCb4RC:EmMbuaEpYinAMxCGIC
                                                                                                  MD5:EC620107577C70EF9A35370ECDC7E48E
                                                                                                  SHA1:D5B1D31BE728865CD2BE805A99899CEBE9FB9543
                                                                                                  SHA-256:149785F6C1069C4AEEDC4B13730BEE3664EB714F44EEDCFA15D097FFACEA5548
                                                                                                  SHA-512:60391DAD37D27D105ED3DB4D8DD5F06BCF2EB69CB06D9026A8C2CF713884C4EF3A9E6C13A5B6669B834963055A5E18B43D94BC4DD10C781F0D4D5A860B4C5409
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+8p..........." ..0.............>4... ...@....... ....................................`..................................3..O....@..(............"..P(...`.......2..T............................................ ............... ..H............text...D.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`....... ..............@..B.................4......H.......d!......................d2......................................J.o....(...+(.....*..(....*.~....*.*.(....*.s.........*.~....*..(....*.*.s.........*:.(......}....*.(....*F(....,........*.*.0..p.........(....-.*..-.r...ps....z.....o......(....,.*r...p.......(.......,..(....(......%-.&.+.o....( .......{....(....*"..(!...*..s....*.*..(....*.BSJB............v4.0.30319......l...D...#~..........#Strings....x...(...#US.........#GUID.......P...#Blob...........W..........3....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventLog.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25168
                                                                                                  Entropy (8bit):6.602492244793594
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ZzTu6iOUdGgvklNpdOHhvVhZQVW27FW8Nyb8E9VF6IYinAM+oCC/Fi:ZziZOwklFYh4jEpYinAMxCd
                                                                                                  MD5:25085314DBB9591FB8E8069350D1DF4B
                                                                                                  SHA1:31C55CE68D4C2EB2BD7528B5FAA63330E9F7F10D
                                                                                                  SHA-256:4F3913937EC411FF2EBE7AFAF10A2B55F572A6F1763BB3B1320E93540176570B
                                                                                                  SHA-512:4EB7215BDB25D233A069B536A5A7129528F66978E9D2A76F2BFF8DFE9A08A8406B8D4F496E1B1AA0B19E15E4EE5DB308848723180D7081697ABDB1D542BFF0E5
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....dn..........." ..0..0...........N... ...`....... ..............................,.....`.................................GN..O....`..`............:..P(..........<M..T............................................ ............... ..H............text........ ...0.................. ..`.rsrc...`....`.......2..............@..@.reloc...............8..............@..B................{N......H........'..$%...................L........................................(....*^.(......./...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*..{....*"..(....*"..(....*"..(....*"..(....*"..(....*..-.r...ps....z.o....(...+(.....*..-.r...ps....z.-.r...ps....z.o.....s!...(...+(.....*..-.r#..ps....z.(....&.o.....(...+&.*..(....*.~....*.*.(....*.s.........*.~....*..(....*.*.s.........*....0...........(......%-.&r7..ps....z}......%-.&r...ps....z}......}......o

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventSource.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):33872
                                                                                                  Entropy (8bit):6.563086985369541
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:T2x4wbbh7Kx8kJ3yiW8/zKeGmBt1qm1CS1yvhGcRtquW3LUWTNyb8E9VF6IYinAW:5wvh7KxdlW8Jvr5EpYinAMxC2n
                                                                                                  MD5:AE55839BDB2A80A88E423363DE26646B
                                                                                                  SHA1:216B449838A7C2FFD182D1B78BD1FE4DA4E60BDE
                                                                                                  SHA-256:274B5887C6D0CEAAF7CBC6D613FF7D69EFA6314AF7950C75E5F91ABA421A60B0
                                                                                                  SHA-512:AF7EA961214F17A09A27AF932F8528162C876E5D74410AAA6D96BF4F8412EECD6F93DC28F7F657BFC7D92486480AABCC45AD5E35B6EDF61272E6F68F5B40214A
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W!..........." ..0..R...........p... ........... ....................................`.................................9p..O....................\..P(..........0o..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc................T..............@..@.reloc...............Z..............@..B................mp......H......../...>...................n........................................(....*^.(.......E...%...}....*:.(......}....*:.(......}....*:.(......}....*:.( .....}....*.0..+........{....o:......+......o!....o".....X....i2.*:.( .....}....*2.{....o5...*..{....*..0..P........-.r...ps#...z.o$...~....(...+.o$...(...+('....o$...(...+('....o$...(...+('....*..( ...*.~....*.*.(....*.s.........*.~....*..( ...*.*.s.........*..( .....}......(......}......}.......}....*..{....*..{....*"..}...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):45648
                                                                                                  Entropy (8bit):6.394614635924562
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:vX8pDT8XP6hA+wMaLWCzAVLOPnyEpYinAMxCwC:vXiDTaP6hfY1GOPnT7HxRC
                                                                                                  MD5:6543EA508CA44C208A5E7387188069B8
                                                                                                  SHA1:639C57EF6A4248852E799FD6FE085EA3362CB856
                                                                                                  SHA-256:C562A4A38C9FB59873702712D070BC97D10BEAEF5257577CDEC7CB38101B017C
                                                                                                  SHA-512:4F70074085869A750552A51F8F43517688DCF789327F000795F56F87E4A34CFF1AC7D7B1988E09F1E8F67360A1C24166303D5691FEE033A9FF4D81674FC56C99
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....+..........." ..0.................. ........... ....................................`.....................................O.......(...............P(.............T............................................ ............... ..H............text....~... ...................... ..`.rsrc...(...........................@..@.reloc..............................@..B........................H........=...X.............X...H........................................~....*..0..........(....,..*..(.....o#......&...*...................0...........(.......($...-..,..*.*.(....,.r...p......%...%...(%...*..(&...*.(....,.r...p......%...%...%...(%...*...('...*.(....,!r...p......%...%...%...%...(%...*....((...*..,&(....,..r...pr...p.(%...()...*..(*...*.*.(....,.r...p......%...%...(%...*...(+...*.(....,.r...p......%...%...%...(%...*....(,...*.(....,"r...p......%...%...%...%..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.ConfigurationExtensions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):23632
                                                                                                  Entropy (8bit):6.6336314644715
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:noePm+VIkOdHt6Zx8HignlSZYT9zWzL0WtNyb8E9VF6IYinAM+oCD7P5V:lPzVIko9FD9o3EpYinAMxCnP
                                                                                                  MD5:B04F71ECBEB0CD1FC15679B5F2C83C18
                                                                                                  SHA1:69C7C2D7B66967CD707FF58D7076162BD978AD1F
                                                                                                  SHA-256:019127850A8B5942C77ADA38D80BCCA4ABD739BD78A038DDD0C5A04AB817B092
                                                                                                  SHA-512:24A75E1F6CF53CAEAD02BC9A0E7A73B163B83B111333656F5FB5BF36AA9F93F4B71C24F22B30774D902ED51529361B529775C9F2EBDB75114E95D2E8DD48509F
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..*...........H... ...`....... ...............................Y....`..................................H..O....`...............4..P(..........tG..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H.......$$..."...................F......................................:.(......}....*..{....*:.(......}....*..{....*..{....*"..}....*V.(......}......}....*..{....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*...~....%-.&~..........s....%.....(...+*..-.r...ps....z.o.....o......(...+&.*...0..V.......s.......}......}.....-.r...ps....z.{....-.r...ps....z........s ...o...+&.o....(...+&.*...0..).......rC..p..(#...-...o$.....+...........(%...*6.~&...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):59984
                                                                                                  Entropy (8bit):6.316388481082354
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:+CD3yk2B8+9PwwOxC8wZLq6J4q2r0qafouRVPvW3nEpYinAMxCxq:hkB8+94xxBmm6mqaBafouRdiA7Hx/
                                                                                                  MD5:692E60666691AA7C7A3D41B9B84E9671
                                                                                                  SHA1:C16EF8101414C2850C788DD728E2F1134286A4D1
                                                                                                  SHA-256:D73BCD766C323469E4DDAA3E28010CDC1BADBF18DFE9914B0930AE3496E6CF1E
                                                                                                  SHA-512:28CA49180AD5EFD477B957D52786E52A27A732302B0CDE634ADE7AF8A8A9F25DBD06E31245A7EB323308859216650CAFC072BF21CC1DB4FA45BC77B1BF1C0BD0
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............N.... ........... ....................... .......>....`.....................................O.......H...............P(..............T............................................ ............... ..H............text...T.... ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B................-.......H........F.............h.................................................( ...*^.( ......?...%...}....*:.( .....}....*:.( .....}....*:.( .....}....*.~....*.0..........(....,..*..(.....o!......&...*...................0...........(.......("...-..,..*.*.(....,.r...p......%...%...(#...*..($...*.(....,.r...p......%...%...%...(#...*...(%...*.(....,!r...p......%...%...%...%...(#...*....(&...*..,&(....,..r...pr...p.(#...('...*..((...*.*.(....,.r...p......%...%...(#...*...()...*.(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Primitives.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):41040
                                                                                                  Entropy (8bit):6.341422324702679
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:zlx+oQSHqk49NI0OP7NWEfDkkuiEk3LViMEpYinAMxCog2:vVQSyI0OP7NxfAkuiEkbwF7Hxf
                                                                                                  MD5:E6187CE82E5FDBB4814DBB4B75DF1A33
                                                                                                  SHA1:CA55691C125C9D8F7E3573A4EBDFCD5C6CD8576C
                                                                                                  SHA-256:B8D387926AF32BA9B40CC21C15B20B7458EACDE96AAD1A10B36365B66CCA184D
                                                                                                  SHA-512:D5C98142E58CAE512FDBCC8D5C4F639D4589FB022C79272E4530816F7D22C7595A93E9DADBD2636351B6DA10D3754DF14368FB5A7AAEA110D63931DB2781E56E
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c.;..........." ..0..l............... ........... ..............................W1....`....................................O.......l............x..P(.............T............................................ ............... ..H............text... k... ...l.................. ..`.rsrc...l............n..............@..@.reloc...............v..............@..B........................H.......H9...E..........@.......P........................................~....*..0..........(....,..*..(.....o)......&...*...................0...........(.......(*...-..,..*.*.(....,.r...p......%...%...(+...*..(,...*.(....,.r...p......%...%...%...(+...*...(-...*.(....,!r...p......%...%...%...%...(+...*....(....*..,&(....,..r...pr...p.(+...(/...*..(0...*.*.(....,.r...p......%...%...(+...*...(1...*.(....,.r...p......%...%...%...(+...*....(2...*.(....,"r...p......%...%...%...%..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):697936
                                                                                                  Entropy (8bit):5.963248155050918
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:deos/POdGV5jfWrV/9Yeh9eRcyLfLYtT5mWxTZ/B7jW5JMtRRpKzQJ:d0/POdGV5jfW5VnhFyvOB7jW5JMtP
                                                                                                  MD5:3FC646321E6E41A6F6DB0F6D68CF0838
                                                                                                  SHA1:F2D15576C8BE70F68548CD040978DDD6B4204AA0
                                                                                                  SHA-256:9C850C7B7B45844B125076F3774F81B71A24537B7F187E597C4CE3C6026F913A
                                                                                                  SHA-512:6CBB07C0E3B5D7607F1B4D4A3A4E78164CE3EC48E70935BB60FE5EA1B596814EDACD9491703F0A7D279544E14FC4C00691EE70505B2A758617690C77682ACEBE
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..t..........N.... ........... ...............................F....`.....................................O....................~..P(.......... ...T............................................ ............... ..H............text....s... ...t.................. ..`.rsrc................v..............@..@.reloc...............|..............@..B................-.......H........p................................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{Z....3...{Y......(....,...{Y...*..{[.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Polly.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):285776
                                                                                                  Entropy (8bit):6.198599890196997
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:5MiAQB4wmESyxV8pj06e4isQ8gsHsjb/W1DBZ7DhsNcym:5MZpj06vUsMjbQ77D++
                                                                                                  MD5:5B74F4D8E9D47BD1F248193AF6100960
                                                                                                  SHA1:25EF85F59695D0D60B4FD0490AD39A6BBFE61DA3
                                                                                                  SHA-256:6BA0EE588B46E3D05A40955576E1D0F2C82EB315D254F1D3F587A9FC51A828EF
                                                                                                  SHA-512:63CA5F2E05A64028E084BA4760250B706836F8AE74A95F9F81262788BF49DD56E56FA371B3792B96C0F073DE45BF85FEA6AB8A67DEF5BD4325D7E9A37CF7E938
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..*...........H... ...`....... ...............................%....`..................................H..O....`..L............4..P(...........G..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H.......Xd......................TG......................................^.{....,.(G...z..}.....*^.{....,.(G...z..}.....*"..(L...*"..(M...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Hosting.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):38992
                                                                                                  Entropy (8bit):6.295960647161023
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:gdfuvOXFXW/8O6bXD+eeIgLPRsnHnyhQupytM9z7O3zfXYvj8rbPH5nTLhCPsIlo:gxuJRRsnHnyhQupytM9z7O3zfXYvj8rz
                                                                                                  MD5:B4DBAA3533A39B9374EC9A3DF9CFE2D0
                                                                                                  SHA1:38906D9D3FFF7C58CF4D2BC0C2F54A91EDF2CAC2
                                                                                                  SHA-256:73396F9B1AC255E3877835B4A4FA4E00623795040A1C54B14C4D504CA83480C2
                                                                                                  SHA-512:BF1534427C3C94FF19C451E19887852A530FEAC1C285D65AFCA782374558F041CC85EB3F4BC37014809A19E2E4F8643842B9AAC5E92A1DE9C0C613096A6A185F
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..f..........Z.... ........... ....................................`.....................................O....................p..P(.............T............................................ ............... ..H............text...`e... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B................;.......H.......tF...=..................t.......................................2.o....s9...*6..s4...o....*..0..>.......sg......}......}......}.....-.r...ps....z....h...s....o....&.*...0..C.......sk......}.....-.r...ps....z.{....-.r...ps....z....l...s......(....*..0..{.......sm......}......}!.....}"....-.r...ps....z.{!...-.r...ps....z.(....u....} .....{ ...,..{"......+..}........n...s....o....&.*..0..U.......st......}(....-.r1..ps....z....u...s....(...+&.~....%-.&~......f...s....%...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Logging.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):27728
                                                                                                  Entropy (8bit):6.554466088668113
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:JSgpZUlMxR5I1z8w3Uta2lQBVMxzMJktYm+9HWXCYBNyb8E9VF6IYinAM+oCKtKq:JSCZUl2O1zCnXyzD6EpYinAMxCkT
                                                                                                  MD5:643D074241473A3DA524DCF514C1AE47
                                                                                                  SHA1:7AA5A6CE315CD3DECE4F5A14F92A3C13F99514AB
                                                                                                  SHA-256:5763B143306B3EAF23871C4DE30F726A024A68A395E26C1CD0EA3D873CA6EA03
                                                                                                  SHA-512:6947C00384C518DB1CBA1BA19F65735D01A7DCF96CD2267FCB927164E6392786D7037BDE8C6984193E96A753A874252E22BDC6F5AAA3C75033A79D5356221E64
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....m..........." ..0..:..........vX... ...`....... ....................................`................................."X..O....`..h............D..P(...........W..T............................................ ............... ..H............text...|8... ...:.................. ..`.rsrc...h....`.......<..............@..@.reloc...............B..............@..B................VX......H.......H...H(...................V........................................(....*..(....*..-.r...ps....z.-.r...ps....z..s......o....*v.-.r1..ps....z...s....o.....*...0..V.......s.......}.....-.rA..ps....z.,..o......./...s....(...+&+...{.....s....(....&...(...+&.*...0...........-.rQ..ps....z.o.... ....1..{.....o....*.{.....o....t......,..*.{.....o......{..........(.....{....o.... ....3..{....o ....{......o!......,..(".....*.........U.4.........s#...}.....s$...}.....s%...}.....(

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Sinks.File.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):41552
                                                                                                  Entropy (8bit):6.321443170649413
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:VUqoXsEgfFHoiikZ9y3BHdD+XR/tGo06BWEpYinAMxCZv:mLrgfPw3mXREaX7Hxwv
                                                                                                  MD5:0433BB0C58BFD97CECEB68FD52A542D7
                                                                                                  SHA1:AD638A6A23C0516285338F5FDA7C1AF3BF0BE4EC
                                                                                                  SHA-256:7E873F261F95AEC61C2C7F6D05768C7306C3DD267128286FA646E2B6DF267CDC
                                                                                                  SHA-512:894526AC0ED29E296D4987F36CDC44D933408E8182C185FF5488355AE3D20C1896EA675BE0D27C58A74156DE3B17E7DD72B88CFBA4A0F9EBFC54FA3E51B21FAA
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z..........." ..0..p............... ........... ...............................d....`....................................O....................z..P(.............T............................................ ............... ..H............text...$n... ...p.................. ..`.rsrc................r..............@..@.reloc...............x..............@..B........................H........<...O..................X.........................................(....*^.(.......D...%...}....*:.(......}....*:.(......}....*...0..,.............................................(....*.0..*...........................................(....*...0..(.........................................(....*.0..&.......................................(....*...0..S........-.r...ps....z.-.r%..ps....z.-.r/..ps....z...s ..............................(....*..0..V........-.r...ps....z.-.rM.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):138320
                                                                                                  Entropy (8bit):6.160678928460797
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:MobKO7RaoWuUeZk/f0Sh1HlWZm1ZZTdyGFkNUMT+P65jDtYQK:5bKKz1UeZk/Phv8lDuPai
                                                                                                  MD5:D755ED4DFE2F19DEB11ADE5CE5070F6D
                                                                                                  SHA1:F5A93E6C45004CB49398A54490F831CDAFF4349B
                                                                                                  SHA-256:936E73360824D627B42DD5401F8BC884E2B3B1D8A27267884275EB524CD7D672
                                                                                                  SHA-512:C49ABBDA336276A7DF68BF41355E23A52B6DD24079022A56A98C0B18D50FDF37BD3F469072B3F7903C94F7B7420E2CFCAC5A702D65155E0AA6C8C1AB2886EC1A
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....\..........." ..0.............6.... ... ....... .......................`.......k....`.....................................O.... ..................P(...@..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......h...0O............................................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. ... )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0..b........r...p......%..{)......%q.........-.&.+.......o2....%..{*......%q.........-.&.+.......o2....(3...*..{4...*..{5...*V.(+.....}4.....}5...*.0..;........u......,/(,....{4....{4...o-...,.(.....{5....{5...o/...*.*. .T.2 )UU.Z(,....{4...o0

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\System.Diagnostics.EventLog.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):52304
                                                                                                  Entropy (8bit):6.150052387080182
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:sb1yYPvLtCJY0E+F3xeHwNaleirtqCVlXmL+7NQ1OaY7c4EpYinAMxCODiTdS:sb1yYPL0E+F+8inVlXNP7cB7HxNkS
                                                                                                  MD5:60DCBA37E0501E08289CF911B0153FBE
                                                                                                  SHA1:ADE883B487F4C2B359510E417BEB16E74166FE76
                                                                                                  SHA-256:8C28A5CD3B8FA97CBD2B4C4D269EC409AC2680576B47B1E110BC79DD475514D1
                                                                                                  SHA-512:77EE88BB8D745DB3E6D9FED894B5B3275E353FEC6557663E60188BF4FB764BDECD89CA89950D5223E15446D93EE2DDB181A37DFBBFA182963DD72E23F80E114D
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D............" ..0.............n.... ........... ....................................`.....................................O.......................P(..........,...T............................................ ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................O.......H........4...h...........................................................~....*..0..........(....,..*..(.....o'......&...*...................0...........(.......((...-..,..*.*.(....,.r...p......%...%...()...*..(*...*.(....,.r...p......%...%...%...()...*...(+...*.(....,!r...p......%...%...%...%...()...*....(,...*..,&(....,..r...pr...p.()...(-...*..(....*.*.(....,.r...p......%...%...()...*...(/...*.(....,.r...p......%...%...%...()...*....(0...*.(....,"r...p......%...%...%...%..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):799856
                                                                                                  Entropy (8bit):1.7597847647294211
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:g/r3V645uWOL8/pCuPHnhWgN7acW5RjroUEKup3JdqnajvsKyhr:gx6Yi/uPHRN7y/oU7aJdlrsKK
                                                                                                  MD5:6A205C78D14FA91EFCA3AE531D1FF7E8
                                                                                                  SHA1:9E26E81DFDBA74AE261912993DE875D13BB0891C
                                                                                                  SHA-256:6444DFA03609248EFFD398E8562AF484AD0163A6C47CEE6D3A287FFDEF809AD2
                                                                                                  SHA-512:FD797F528519BD9B864394C2A45AFA5C7F94F58D1F2B55E0017987FB521C9F7292DBE1366BE778E60352FA8F9A08C10B7299AEA39DEEEE3A164BB105857FE7ED
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1.$..........." ..0..............(... ...@....... ..............................Ap....`.................................q(..O....@..l...............p$...`......h'..T............................................ ............... ..H............text........ ...................... ..`.rsrc...l....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......,...#Strings............#US.........#GUID...,...l...#Blob......................3..................................z...............\.....0...........-.................C.................[.....x...........D...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.,...3.H...3.^...3.t...;.....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):132200
                                                                                                  Entropy (8bit):6.172481694612173
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:/Nw50BNfe5FxLyWnongSwUp+k7bAMZ7cPd:CKNfQxRncgS7bBZ7y
                                                                                                  MD5:2D13C1C8539D6FD7A0717941BF0357AF
                                                                                                  SHA1:0E70EA88A866BAF660950FE74482149456557BDC
                                                                                                  SHA-256:644BB3A1AFBEA6B835422B0987376F04796E38BBBECC08C94023638EEBE57F4C
                                                                                                  SHA-512:A52AE3560B22C354F5CE89358219A7FA2FEAA12B376F72B8B53E6ED5E4B02703777CF1678744E7C038C29616975C0E63DFE17BFCB0A9D53B394452EC17AD979F
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C.D..........." ..0.............&.... ........... .......................@.......(....`.....................................O.......................h$... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......................D.......\......................................."..(,...*2.{-...(....*"..(,...*2.{-...(....*"..(,...*2.{-...(....*.~+...*....0..........(+...,..*..(6....o.......&...*.............."....0...........(,......(/...-..,..*.*.(+...,.r...p......%...%...(0...*..(1...*.(+...,.r...p......%...%...%...(0...*...(2...*.(+...,!r...p......%...%...%...%...(0...*....(3...*..,&(+...,..r...pr...p.(0...(4...*..(5...*.*.(+...,.r...p......%...%...(0...*...(6...*.(+...,.r...p

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote.zip

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1152141
                                                                                                  Entropy (8bit):7.9996934105504405
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:24576:Y0MtJOalt7fQwfM+tshGvx5LBhqAc9sDQPfs8+5iaSpFiz:65Lm++hGZ5LnZMO8f+5Aiz
                                                                                                  MD5:9A9B1FD85B5F1DCD568A521399A0D057
                                                                                                  SHA1:34ED149B290A3A94260D889BA50CB286F1795FA6
                                                                                                  SHA-256:88D5A5A4A1B56963D509989B9BE1A914AFE3E9EE25C2D786328DF85DA4A7820D
                                                                                                  SHA-512:7C1259DDDFF406FDAADB236BF4C7DFB734C9DA34FD7BAD9994839772E298EBF3F19F02EB0655E773BA82702AA9175337BA4416C561DC2CB604D08E271CC74776
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:PK..-.....}BrX.j5.........-...AgentPackageADRemote/AgentPackageADRemote.exe....0........d......0.....r...,.. UMA...|f-].=.U.j..p.....r..f.<..Z..g}m..LC.T.....Y.{s\.k... Y.....4..}..h.<L......L.........z.i9.K..~.ue."#"r.r..p..0.\./R...C.w..8..-.3.t...(.c..P..N....q.v&........u.a.e...]...9....r.@.=\v..B.~{|c.j.S...JL!g..Y@Ts9D$...)P.......{..8...Y...K...Z._".@.....a.8.P..7...ZY.-D8f\..ej.....@.w.$R>Q.B.....V..@..9....zdB..x..GK.....LDp...Xc......x......*.u..R..,...#...Q,.V....}..W....oT.._6n.g..bK.p.s...pABSv0.7..'.JK ....b.Y.-.B...!'Tjsn...."V......B.@.<CQ.K....>D.5E..w.'. ._%E..-......7.M..u1nr.7....T[.%6..t...Z..Q.;./....k.V....J-.\`..d...K.c. ..D.G.j.../..z..k.KH.....!..M...8....fr.......m....2..4-... ..CF...skN*.kv.E[3."gi3.Uv..*.S...n..~...)..!V..>...D..2..b..}..xW.ZPd..X\.g...1.RY.u.]p..Z b%r.....Hc.N.+[E...Q....3.K.H.....)NQ@L......./2.v..q...*.-:%... "...`...i..+!.D..q.];.ARRrQZ.B. i...M...Qy$.....p...A.U...=...LHF%...]..l.S.pl1....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):52272
                                                                                                  Entropy (8bit):6.139785828189609
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:avB4oeg/Po2Obb95bmrpeALHpZAgEpYinAMxCC8:ruQpbHbklAp7Hxx8
                                                                                                  MD5:3180C705182447F4BCC7CE8E2820B25D
                                                                                                  SHA1:AD6486557819A33D3F29B18D92B43B11707AAE6E
                                                                                                  SHA-256:5B536EDA4BFF1FDB5B1DB4987E66DA88C6C0E1D919777623344CD064D5C9BA22
                                                                                                  SHA-512:228149E1915D8375AA93A0AFF8C5A1D3417DF41B46F5A6D9A7052715DBB93E1E0A034A63F0FAAD98D4067BCFE86EDB5EB1DDF750C341607D33931526C784EB35
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe, Author: Joe Security
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0................. ........@.. ...................................`.................................p...O.......................0(.............8............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........B...s............................................................(....*.0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..(....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*.0..........s....%.o...+o....o...+&%.o...+o....o...+&%.o...+o....o...+&%.o...+o!...o...+&%.o...+o#...o...+&%.o...+o%...o...+&%.o...+o...+&%.o...+o(...o...+&%(*...%.(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1782
                                                                                                  Entropy (8bit):5.026919218581437
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:3rrb7h+1/gYo27RgdSagFsg+w3Sg+CjdgDt:7rn4cwCR
                                                                                                  MD5:13CFEB2261E4DAEAA3C06F7A60078F91
                                                                                                  SHA1:D76B6D07D8FEC75789025FBAB18048AD193B1462
                                                                                                  SHA-256:6BBDCC477F0C1EFBD0129AC7716F96CC2844103169AAEBFF03D4C8F5C54745D6
                                                                                                  SHA-512:F804155363FEB09427F7C8E968EAAA7DDA15F739769864A23C8A0FC9137151A03F02FB30B11F47A69DDCEFFF02BF933721C3757A3FB78C705D0537205BBD3A92
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <d

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.ini

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11
                                                                                                  Entropy (8bit):3.459431618637298
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:WhTLV:WFLV
                                                                                                  MD5:530F2E4E5E3DDA283DB3C78CC0C13297
                                                                                                  SHA1:CF60B778D32C9562B94411DA9DCD8FED2017AB84
                                                                                                  SHA-256:447163A4A3F1F10AFD9EC48F915085B3236F0FA7EDC9973C16925EDB5F6CF0CC
                                                                                                  SHA-512:DD4F7AF9A0F57707D1924BB504D3FC267B4898B909CF6E6ECD274BBC9B487A5CE5D8000E3FAD6EC0061E565C728455965C91F1B4E380227264AD2EE3E2990E28
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:version=6.0

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):95792
                                                                                                  Entropy (8bit):6.184818983275012
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:GQ7brNBoXFbuhpLHbTOgemUu7+n3uRw1FlQRd5JY4t5K56y0sDrUfvPrhZwLXF7X:GQ/iwLWgeW+neRw1Hyd/YCs56y0sXUfG
                                                                                                  MD5:23C8674C75D5944445BF1C035E4A4789
                                                                                                  SHA1:A1255CEDEAC9F9A04B50C7814CD7C61A50623A19
                                                                                                  SHA-256:D2043F878740F643BF91F3EF798DBB9747904A1D503AAC4ED2108131F663AB37
                                                                                                  SHA-512:52ABA8350A05E9E5A672CB04CE528CFC4DA009247B2BD8B63096AF9A37C1F352A4C2BD12B03973AA1E733551F94F542814E425223DEF2AA33B595AA2DC555A95
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Bd.........." ..0..D...........b... ........... ...............................{....`..................................b..O.......8............N..0(..........la............................................... ............... ..H............text....B... ...D.................. ..`.rsrc...8............F..............@..@.reloc...............L..............@..B.................b......H........j..l............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tQ...r...p((..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):95280
                                                                                                  Entropy (8bit):6.002764283325334
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:ocNQW9Tbp/VgiZi7sT5gdBxYJMcTnbJkI+eD7HxSR:ojobJVgiHMcr5Da
                                                                                                  MD5:10961147A546FFCD8B7C19771BA70198
                                                                                                  SHA1:5B63EEA0B2E53DB81AFB146D469E899E1E67DACF
                                                                                                  SHA-256:95C53735107ADCC39E6C3268335B2AD434E2364A007CC97B2147AF3A6EE837F3
                                                                                                  SHA-512:9830450FF9E8D2E6B74D8D8938A18DFB1BA008249D389FB923D5AAA25B7F8F9E5BAD4CB3FC13100C5F53B0CCEDA4E9427E90F2B733EA9BE0FFAA5D5F165C815E
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&............" ..0..B..........Za... ........... ..............................~.....`..................................a..O....................L..0(..........``..8............................................ ............... ..H............text...`A... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................9a......H.......4i..,.............................................................(......}......}.......}.......}........o?...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po#...o....*..{....o2...r...p.(....(....o(...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16432
                                                                                                  Entropy (8bit):6.656654225594367
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:5Xh+/DtYchNyby2sE9jBF6IYiYF8pA5K+oCGUHFeFl5XqQ:5Xh+tYmNyb8E9VF6IYinAM+oCaFXF
                                                                                                  MD5:96703E15C375B8A701C9D1F5BE8C4149
                                                                                                  SHA1:B058FA32FBDA52D70C1B966640B4824D5487ADC4
                                                                                                  SHA-256:3F830FA8F22EB09D59088705E26DCE964FB430722E91630B03EB15FCC48359A0
                                                                                                  SHA-512:3D7515BBFD018BCB24C69235A65F401BCF00D6932E412696FF31DC6EDE9436B2D4E5983450C9F88AF7B52D18949B4C1EFFEB9C3F94E85DCE57C4495F21D21A86
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ....................................@.................................",..O....@..(...............0(...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):52272
                                                                                                  Entropy (8bit):6.410547751816252
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:KQMnML8f1VNPa7fb8LRaIzlRK/usybUjuUY0vZKE8tcqPqZw+I39Wu1FEpYinAM/:K9ML8LW/usybGYVE8mZw+89Wu1e7Hxas
                                                                                                  MD5:20FC2DB17D09554BBC37785B3644DFC3
                                                                                                  SHA1:AAC4CA54730DB46145748AB419CF6BE3B39D2A74
                                                                                                  SHA-256:4151D6C627A324D9F2991A4D98BB7544926DB41B3211EDC1B2085922B1D1FC46
                                                                                                  SHA-512:62F6711FD2861BEA0FC214882678CF7F98CB53E8AF858C46CCC1F5B1F2FF9C22DCBD3A184A9DE9AD2D2148F0B529426DE7F793A63A459D72D2DCB048DF4E40FD
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll, Author: Joe Security
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&............." ..0.................. ........... ..............................&.....`.................................>...O.......4...............0(..........t...T............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................r.......H........E...s...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....P.........io ...&..i.X.P..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....P......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):398896
                                                                                                  Entropy (8bit):6.13440642371392
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:hjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/Zmvr:h+e55LgIkTmyAAfTnMLvr
                                                                                                  MD5:A79C5395D945A1A369EA05D73B1170E4
                                                                                                  SHA1:937D030106FD7E88B61E4F4D1AC28A3B9FFA0AA4
                                                                                                  SHA-256:7580F72E7059A9DBCF41C94DC69ECCA0B3A983C010DE86B9A509A701163AFEC0
                                                                                                  SHA-512:176C719C2595A6A01041EC240D5341FAC5AB6137756FD70F71A1B5C5A6E9A923FB61760808840D439CDBAB70ADFAEE137B13600875E0BC3A209E501DB84C2AAD
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`.......^....`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):883760
                                                                                                  Entropy (8bit):6.071525670553409
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:Y1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQm:Y1n1p9LdRN39aQZUq3
                                                                                                  MD5:022108AD251A8942E295269CA824DE07
                                                                                                  SHA1:05CE96EB21FF69C5ACE572405A39936E594B7043
                                                                                                  SHA-256:353FC27D930C31219086C6D391B0502AC298F6084DFCB3EA423DD1DAB3BA1907
                                                                                                  SHA-512:49028D3C1C7C8FAE813F294577B97EB0C66F2D62DF880072AD59679460D55A6DEB1546DDF07A7353563910E21F4D53F5FCB4BD421887D7B75429083CA200C16E
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ....................................`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):710192
                                                                                                  Entropy (8bit):5.960711597816388
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:yBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUc:yBjk38WuBcAbwoA/BkjSHXP36RMGl
                                                                                                  MD5:25879E885A79F4548FD878EAF4A82396
                                                                                                  SHA1:AFB8D0BBD5687D2FC19C7A3FB66EA3DF1886DB8C
                                                                                                  SHA-256:3DF7B27F8649C95C56F1F68A040F29FB28EFF6756F8BA78C480DFBB541E59E4A
                                                                                                  SHA-512:39EB28B89A077D37FC8076A364B26ADFD348F6DC891AC08FACCFB071D3806C32AC0A3A5D82E8D4DE01DF6F9E1C4271CCABFA8FF7248CF6886BEF8FE4BDE51B6F
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......5.....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):284208
                                                                                                  Entropy (8bit):6.117274836584594
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:NZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHU:fgo0WPVTXg0
                                                                                                  MD5:66DEBCC5962642D31706EA1B067288A3
                                                                                                  SHA1:FB6A76C0E5189F66FE1D0E192349077A45BF437F
                                                                                                  SHA-256:8CBC47B453EA20F1EEA3337981A1A975A16B68B27AA156831D2B4AD0B63EA980
                                                                                                  SHA-512:5C485C7D319BA9C019FBDCA48833D3628E6D9EA6F3AABFA47A519C363BA81D11265427FD470D5D665795B010A26E751DA404DBD70895E5EAFC83CBD50D83ED2B
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ....................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22064
                                                                                                  Entropy (8bit):6.676829122620627
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Ty/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqXLP:TuhMaVmzDC67EpYinAMxC5
                                                                                                  MD5:C3CBDF33261AA0BAA8C11B4D713BA911
                                                                                                  SHA1:A486A2CFA6EF16B9DD005C689C767E47BF18D5A6
                                                                                                  SHA-256:0BD8B6B5D401001A2003486077BC095A2138B42DE7A52B212BD7A4AAD72A9E35
                                                                                                  SHA-512:132600340186128C7B8EA40D77DE9E5359A52949E7EE815CF959E2000A6EE178FCE26A2AAA2EBC56A48318EEAD3038189567CD5D14F9E977780373649C83F41D
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):97328
                                                                                                  Entropy (8bit):6.241615255803021
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:rNSbHB6zBedWp71O37rGMsQ5gbDnTE8iayI2Sf+Ku6JhbDEhr4WTJ7HxhP:rN3OWMsQ56vd2s+KuYc9RTJrP
                                                                                                  MD5:259DAAE7BD386F6AE1C50DEF93F9A274
                                                                                                  SHA1:70E68497781C4E7B931B11E9EFE702ECCFBC3AF7
                                                                                                  SHA-256:859758492E07C9297C1C5A0A31FA30129C23D479F442ADE01F4A51F78A0DED08
                                                                                                  SHA-512:8D25CB5982E2D8A5EFA0056C120E1BD5AEC7E28DE4DEEC9BFA2BAEBFB0FABDC4A12369F901C8415CDD3402C9A0E8F8F338C1C5E3FEB1A2C0F45ED446AB80701B
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0............" ..0..J...........h... ........... ..............................d.....`..................................g..O....................T..0(...........f..T............................................ ............... ..H............text...4I... ...J.................. ..`.rsrc................L..............@..@.reloc...............R..............@..B.................h......H.......L...............<^.. ...\f........................................{'...*:.((.....}'...*..0..#........u......,.()....{'....{'...o*...*.*v ..yN )UU.Z()....{'...o+...X*....0..:........r...p......%..{'......%q.........-.&.+.......o,....(-...*..{....*:.((.....}....*....0..#........u......,.()....{.....{....o*...*.*v ..:. )UU.Z()....{....o+...X*....0..:........r-..p......%..{.......%q.........-.&.+.......o,....(-...*..{/...*..{0...*V.((.....}/.....}0...*.0..;........u......

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):138288
                                                                                                  Entropy (8bit):6.18032959054322
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:g3XFz0qjCIPMAxlUXUKoPfw0kG71AHK7cnJ:S0qjCSRE+fw0kG71S
                                                                                                  MD5:CC3FFADF699BFB7F10A176AE306707E8
                                                                                                  SHA1:C0824E4E57FEBEF32E904E540BA369BB77ACD15A
                                                                                                  SHA-256:D48B4C4D3BED0F4662B98E557A0EDE24B6C3745E7BFFC114164A2FD33D947904
                                                                                                  SHA-512:BC648768FA54D6F9A0FB70CE88960EE2137712FD7056F8FF28D2E222871D2FFA96B97C81E21D84CD71EA336F29D28977EAB57D858B2B7D1D7C7B2B01BB455C32
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6wb.........." ..0.................. ... ....... .......................`...........@.................................?...O.... ..@...............0(...@..........8............................................ ............... ..H............text...h.... ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B................s.......H........ ..............\.......D.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17968
                                                                                                  Entropy (8bit):6.672454142602205
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Nh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeB7f5DxmX:Ny9eEpYinAMxCA7xDxmX
                                                                                                  MD5:2BBEC1A6C6C64499CE0A4EDEA5D0C629
                                                                                                  SHA1:A1C39059B887B7A1BDF93CAB3237413D5948BE26
                                                                                                  SHA-256:D80E6D1C2A0850A2FDCA5F16A259130B08DDFE968CDC137253221CD4600D53CA
                                                                                                  SHA-512:B27639E9D30FD23461723708D4067C99AA3162FD8EF935AD5DA75776EBB46F2D11BD0FCA211BE35A195CE3020E10E063F66FDDDEAC0624392143B856DC23C174
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ..............................q.....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                  Category:dropped
                                                                                                  Size (bytes):384064
                                                                                                  Entropy (8bit):7.999354812539926
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:6144:oT+//Q9zzulKCWBQWv2SaUi4QGX46RIpikyZVsEJ4edsS5OmBOGapgfFwchugV7h:o6//QYKvQe3as3vt4edsTEHapgfgt2/l
                                                                                                  MD5:62BA835DA9186B6F9ABA75DB02BDA457
                                                                                                  SHA1:73CF400D8CA1E32DC336344778E43BA5F077659A
                                                                                                  SHA-256:3F7E666C873A00E2FC36561CA3C6554D64EE592CA6D7AAE44C1D578A4BA952C0
                                                                                                  SHA-512:AD12DDCF069B1E41895C6FE95B4206AFD5E41FC36078323B0CF5084A90322106366B1058FD19F4A7A2E3298B59EE06CF8DB75DFCEDAC3377211216A81DD86CD9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:PK..-......G.X...M........=...AgentPackageAgentInformation/AgentPackageAgentInformation.exe....0................x..$.C"c.._.9..).....o...."\..`J.<..5..`..s.wUA..H..?I....L.P6`.)#.V...HV...T....C2P...(.D..y..O..%..[f.....U... c9.G@..g.......G!b....:o....7..~.h.s"5.1.u...\}.{l....<Yz...rj.2H6.......K%....SR.3.cg..*..o..z..k>...2.T......nz..L.....*.b."...R...p..k.=3.N.I...c....ht..*..Z&i.J{..,:..}... .2.........e/S.....{wr.+.=.....#`.LKl....4a.+B.:..T/s?..9.,#T..w...;.Q.X.F\-..Z.......`W.W..Y...j.E.......;..74..W..d.....o..x.m{...a...K}.....i)..H.a.*..<.m.;..I..1..Z...v.i....!.*.'[..`W..!../.<...."..u;W!Zgkfr.xn..,..8..{u.E. .#5F.. .(jD....:.&S..D.&......g-B#...:.2.....hqH..YY.......`..Y.;*.g.>0.......@d.=...Oiu....<.H...z..j.6.|'...9 >..d(l..B. .....5Pl.......cT...(L0....s.8 0.....k.e.pKo.).2P.'b."`d.N...u.%.l'z$W.....,j....OY.X...%.(..*.....{s..l...H6M.>S......@u...^c.#e^..l.......wU{..L3....5......K.xU....~.;.0....=.....a.j....o...C..~....$.(

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):176176
                                                                                                  Entropy (8bit):5.810538753278762
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:8hu0H1+EJQCH77wKu8MFZYfAZN8nCq8vwzZhq7tZ:8hu0H1+EK27wKu8MFZYSIZhqn
                                                                                                  MD5:ACCE8B17DE63299AA4D5CB7D709BEEDC
                                                                                                  SHA1:F0EC4BB9BE94EE250ED38E88A87B65E727A9A058
                                                                                                  SHA-256:C46A613D72F89B5886A79B742AA845152505734642188EA710716F63FB775C77
                                                                                                  SHA-512:1FD0EADD36D9058E7BC4AC06108B0430ABD5D43BC14100593352FD2F5639547B92BD7AE9691E219A26A90A80E4427DAE687A2312DCA0A48F71DD3ACFF9494752
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....(}f.........."...0..|..........f.... ........@.. ....................................`.....................................O.......................0(.......................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B................H.......H...........8.......,....................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o .....s!...%.o".......o#.....s$..........s%...%......io&...%o'.....o(.......o)...o).....(*...*..0..........r...p... .....r...p.(.....o......(.....o.......(+..........s......[o .....s!...%.o".......o,.......s-..........s%......i.k.....%......io........o)...o)...(.........o/...*..(0...*..{....*"..}....*..{....*"..}....*..{.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):546
                                                                                                  Entropy (8bit):5.048902065665432
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:MMHdG3VSQg9LNFF7ap+5v5OXrRf/2//FicYo4xm:JdASPF7NhOXrRH2/d9r
                                                                                                  MD5:158FB7D9323C6CE69D4FCE11486A40A1
                                                                                                  SHA1:29AB26F5728F6BA6F0E5636BF47149BD9851F532
                                                                                                  SHA-256:5E38EF232F42F9B0474F8CE937A478200F7A8926B90E45CB375FFDA339EC3C21
                                                                                                  SHA-512:7EEFCC5E65AB4110655E71BC282587E88242C15292D9C670885F0DAAE30FA19A4B059390EB8E934607B8B14105E3E25D7C5C1B926B6F93BDD40CBD284AAA3CEB
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>...<supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12
                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:WhWan:WTn
                                                                                                  MD5:5114AE785BDC99E7A17BF2CDA7D29A72
                                                                                                  SHA1:3DE3B2F755C832B8D5E6C0EC409448E2F559FFD6
                                                                                                  SHA-256:69DFFBBCA4B0D194104AF8F2E0FCF2B8019BE844149151B35AC0777A26FDA2DB
                                                                                                  SHA-512:87243F0B4B8E45408B39D209FA7AAFF2A844D58E73C431F7887C90B000FD19B12048987218598945D4FAA0FA75FDAEA83FC50583175143DF737134A2BDD27D03
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:version=37.2

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):96816
                                                                                                  Entropy (8bit):6.18002703527251
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:9Jt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7HxwX:9QUm2H5KTfOLgxFJjE50vksVUfPvCy
                                                                                                  MD5:DDC6B969B5DB1626766381FF12340FA1
                                                                                                  SHA1:6AAA12B989EDAAD22E1DB21127DDCFFD8951930A
                                                                                                  SHA-256:CEBE42FBEE50769C3CF9CE1ADEB4FA85046802B7A298BDEAAC3278CF4B653525
                                                                                                  SHA-512:B86D9C2E1234960F6614B6E6D790EEAFB093DB4CC1C9A2C4FE55EF0D4496D79B673F1B373BEDB036D23246FE1D3B7370FC0A195F59508A0566BF101401480F6E
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................i.....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):704560
                                                                                                  Entropy (8bit):5.95412318973471
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:t9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3c:t8m657w6ZBLmkitKqBCjC0PDgM5M
                                                                                                  MD5:6EB75A19A6AB8F9DE3886261B399A8F7
                                                                                                  SHA1:7FE98DDEC3FAA1362167BE26B5455283E7777881
                                                                                                  SHA-256:D1A4D5FB2B89A96A3EFFC149D0A32B72182D37B59414AAF78E202D91CF408A68
                                                                                                  SHA-512:383C477438A3654DCF5EB984626715D14AD6C771692B28326EE2212034F8B70D4430AEAE677532C66619883CBE86456602E544F2E0F0A98770F69BE3956504C1
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ....................................`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\dynamicfieldscaching.cch

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):4.662894483998975
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:hsShKq4MsShLP6SX9NfzyShaKf0OJqGShaKf0Od:J4qBX9Nf1Jqd
                                                                                                  MD5:6279DC0EE52FF965B522F4AE324A5DA5
                                                                                                  SHA1:CF75B92C74FC834B121BA2823573DD8600984871
                                                                                                  SHA-256:B604A350B160103ED5C7FC12AF14FB669B69BE858A461BC7C5E521A5857A9DBF
                                                                                                  SHA-512:43C31946D2075F70D22707CEE72723E997EF9DD54B773884FBD47AB07C4D554A8D5DCD322D6646317CDB81A39E4565FAD8557691568B6D220104968DDCB858D2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................TAgentPackageAgentInformation, Version=37.2.0.0, Culture=neutral, PublicKeyToken=null.....6AgentPackageAgentInformation.Cache.CachedDynamicFields.....<DynamicFields>k__BackingField.<Timestamp>k__BackingField..JAgentPackageAgentInformation.Api.Information.CustomField.DynamicFieldDto[].................uz..H...............HAgentPackageAgentInformation.Api.Information.CustomField.DynamicFieldDto................................................................................................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\information.cch

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):35
                                                                                                  Entropy (8bit):4.04716007463276
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:LRmdjkVTQ8:LRmdjc88
                                                                                                  MD5:EE7C871B7137C0EE366171A7BF7E01F2
                                                                                                  SHA1:5EE0834EA2B7503E109274FCDDDB89A5A22D9B32
                                                                                                  SHA-256:8449E2E185D267587C7847DA67EB4A1ABF4F9D6B171231380538484041C47F8B
                                                                                                  SHA-512:384280B0B586AC71F91698F73F5102990FEA8B0273EC1240454EC011E565A5A4AE808B18CFD41E726D7B7823A8CFF6AE440F91FF5E076FB26643B0AB5CE92032
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.D8F994B317A94C8F1592062BE79A6B2F

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\update.cch

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):35
                                                                                                  Entropy (8bit):3.9572958738405695
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Vd74mVrmbgw4T:VuErmbq
                                                                                                  MD5:CE26DE4A8BA5C882FBB9FBC03E168ED8
                                                                                                  SHA1:75AEBC41164E5FAD93702F8A172EEC25BD2E1E4F
                                                                                                  SHA-256:412D2E6E456C17A107CDA64B35297B6CB28D8FF5C47A0119F21FCB4E35F7E42C
                                                                                                  SHA-512:776422590C3D198D49FAC60A45293F93FB7394D989355AA5910ABA3D27AE6F56A6719EDBA1AD5836ACCEA34298E1133C8FE9D8284B6309AEA870D439213908F1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.D12A1ADC629C3708FB923F7EC8E16296

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller.zip

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                  Category:dropped
                                                                                                  Size (bytes):833993
                                                                                                  Entropy (8bit):7.999644881255343
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:24576:peRqTiLR3omp/AAzr5nxL2CP+sZ4tgMfQo:p8nLR4WYA72CPPoKo
                                                                                                  MD5:9B1F97A41BFB95F148868B49460D9D04
                                                                                                  SHA1:768031D5E877E347A249DFDEAB7C725DF941324B
                                                                                                  SHA-256:09491858D849212847E4718D6CC8F2B1BC3CAA671CEB165CF522290B960262E4
                                                                                                  SHA-512:9C8929A78CB459F519ACE48DB494D710EFD588A19A7DBEA84F46D02563CC9615DB8AA78A020F08ECA6FA2B99473D15C8192A513B4DF8073AEF595040D8962AE4
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:PK..-.....;9rX.9..........9...AgentPackageInternalPoller/AgentPackageInternalPoller.exe....0Z.......U........ee..Th8.............t.v.g....g......M.........c..K.`|.'1.W.g.;.W+.e.....D.."|...]-:.To.:.`B(.E{.T.?..z...&.....g.....1.,km8.....Y......WZm;..!.....k.....iA...~.zK..EW'.....p.A....Q6.~S......A.......6....h=C3N0y.$i....M...N....C......I.....UCp.p....x..WQ!.p..>.'N%.2Z.l.R8./...%Ew..T..yy.....q...U.nqH......".......n.6M..P.:t...t1..r...!9Z.N.X.s8.3.9V.a...m8....LpWS..O.8..R6..O.l....e|(..F...Og.h.0..,..Z.H....Rl..L.N.9.\...."4..%..A.<."..Iy...:..GBw_1......3.y.p...a...*...l..._.FI.Z.....+.L.....]Y.K|RM.Pf..in.........93+2.QMH.t......<...3.. ....2..!....t..)).I\.qw1.'..J...J3".K'rt.h.f+.I.7...q.MK......V.._!Q.].w..au.[.brv.T&..Lfm./..J.$.m...... t.u..uQ...L...\...M.Ihp.rG.J..C".....d.....;z..d....L.p.r.c7....q[2.e.........!(....Ld.....M..9...M....>EN&dY.]....>QUJ..N.+d.cr..].D.o.........?o.~@....@..D[...5.C.eP.a.....;..:.._v.....R

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):219696
                                                                                                  Entropy (8bit):5.943430076853408
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:It3Mf3ZwYUPEpbPwygJQetg0+BpU3I0toxhGf:2MfJPpjYN8hI
                                                                                                  MD5:01807774F043028EC29982A62FA75941
                                                                                                  SHA1:AFC25CF6A7A90F908C0A77F2519744F75B3140D4
                                                                                                  SHA-256:9D4727352BF6D1CCA9CBA16953EBD1BE360B9DF570FD7BA022172780179C251E
                                                                                                  SHA-512:33BD2B21DB275DC8411DA6A1C78EFFA6F43B34AFD2F57959E2931AA966EDEA46C78D7B11729955879889CBE8B81A8E3FB9D3F7E4988E3B7F309CBD1037E0DC02
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, Author: Joe Security
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{..e.........."...0..&..........:D... ...`....@.. ..............................h)....`..................................C..O....`..d............2..0(...........B............................................... ............... ..H............text....$... ...&.................. ..`.rsrc...d....`.......(..............@..@.reloc...............0..............@..B.................D......H........@..$.......f.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ...x )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*..{....*..{ ...*..{!...*r.(......}......} .....}!...*..0..Y........u........L.,G(.....{.....{....o....,/(.....{ ....{ ...o....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):541
                                                                                                  Entropy (8bit):5.097123194334321
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:MMHdGp2VvOF9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsIOvPF7NhOXrRH2/d9y
                                                                                                  MD5:D0EFB0A6D260DBE5D8C91D94B77D7ACD
                                                                                                  SHA1:E33A8C642D2A4B3AF77E0C79671EAB5200A45613
                                                                                                  SHA-256:7D38534766A52326A04972A47CACA9C05E95169725D59AB4A995F8A498678102
                                                                                                  SHA-512:A3F1CFF570201B8944780CF475B58969332C6AF9BEA0A6231E59443B05FC96DF06A005FF05F78954DBE2FEC42DA207F6D26025AA558D0A30A36F0DF23A44A35C
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.ini

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12
                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:WhXWp:WBc
                                                                                                  MD5:DFDD2EB77BBB74518BAD98519A857D41
                                                                                                  SHA1:5F4F91D73EA620CDF0E5AC458E80B71412B1BB9F
                                                                                                  SHA-256:7655078305CC5B4F62569EF9868E1B04FCC491D33FDAD1F8E4610C038BCBAC8D
                                                                                                  SHA-512:481CDA97C03294EBAB036F99727828983C8D0E4C137AF05FDEA7FD296D11378904BACCE2D58D44F932A0BF7F2A30A9B44F4CBC05E253F132B1EF641F648C8DF0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:version=23.8

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):52272
                                                                                                  Entropy (8bit):6.300719339270839
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:5i8fXCGsSVh/2ixXxKFArYCJdshn9xvlOaEpYinAMxCuMr:5FaM2gS1y2F9Ob7HxCr
                                                                                                  MD5:9467F653980C1C37E4C64811BA27C976
                                                                                                  SHA1:68130FABBB50EAF5CFE2C355BA13B303DD373FB6
                                                                                                  SHA-256:821847799A2B7B3A6EC20BA61388AC87707D9C6865BD904A44DE5B033BD2EF29
                                                                                                  SHA-512:E72B7802256053589D889B2B7E74A2B53F328289A12CC0D4930D66410D00585C67B2C434512473CD2E74C8F2CB7685C2C34FCFC3DBA4A52399532CEB04153597
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ..............................t.....`.................................2...O.......................0(..........@...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................f.......H...........x.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{ ...*"..} ...*..{!...*"..}!...*..{"...*"..}"...*..{#...*"..}#...*..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):96816
                                                                                                  Entropy (8bit):6.1801131806578455
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:hJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7Hxwx:hQUm2H5KTfOLgxFJjE50vksVUfPvCI
                                                                                                  MD5:F1B2303DD7E152BA70F3537EDB2E9638
                                                                                                  SHA1:7E359D4B9011449DABB7F8236F14851A346B5028
                                                                                                  SHA-256:8EE8B304339B6F87E79B117F605375AFFFCBABA290A1B41BB6B3C1A40E46767C
                                                                                                  SHA-512:A4DD48F1AFF528DADF9974ADA1740CE785823FB584F55191D008158FCFB11F9ADAD8EFF992B8FF761058706C1717E28FBC9C337CF39D4EE4FFAA529501CB3188
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................l.....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LastSyncDevicesTime.txt

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19
                                                                                                  Entropy (8bit):3.260828171224456
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:JOuB3QAn:pL
                                                                                                  MD5:1697F7120594D115531947FAF4DD88BA
                                                                                                  SHA1:0E8F8D19E068C7A62E7839CB11B5EAA7BA824155
                                                                                                  SHA-256:0C2B2E103AA667A1D1BCCE062313E91F5705C26B9DB7A5DAD66DD857A726DEB9
                                                                                                  SHA-512:DF090FE74222565CBCE568A9685656AE25D72B9872CBA23E76A25629210EACD479F6754771135862442885A786121AA38E8354F34CD9EA4F20A609A8A8DCD5E7
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:15/08/2024 18:35:14

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):499760
                                                                                                  Entropy (8bit):6.056862695710082
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:HXv781Hpx+GfCdLr/jd9yyeEAHweiPofdyz7qd352SW8CdykAfqO:/76BfC5avfdyvc2SN
                                                                                                  MD5:3CE7E73DB6F575A0D382DDAA8E1A3C10
                                                                                                  SHA1:031C13652C540CA7F798D141D7C3333FB1C71618
                                                                                                  SHA-256:692185C37DB7505250E58CC55D6707FCB099315A7FF319A9CC92FD99C5F0EEA7
                                                                                                  SHA-512:5270E772613864BD223F31F89CFA500E56E7863967C58C503F92E193AF8C8CAF934B7755868EC21585A38E8D6D186A2DC5528A805A62A0BFA56B59E6506BFF81
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,..........." ..0..p............... ........... ....................................`.................................?...O....................x..0(..........t...T............................................ ............... ..H............text....n... ...p.................. ..`.rsrc................r..............@..@.reloc...............v..............@..B................s.......H.......(d...(...........................................................{J...*..{K...*V.(L.....}J.....}K...*...0..A........u;.......4.,/(M....{J....{J...oN...,.(O....{K....{K...oP...*.*.*. 8..z )UU.Z(M....{J...oQ...X )UU.Z(O....{K...oR...X*...0..b........r...p......%..{J......%q>....>...-.&.+...>...oS....%..{K......%q?....?...-.&.+...?...oS....(T...*2.(U...oV...*..-.rE..psW...z.(U....oX...oV...*:...(....(Y...*:...(....(Y...*N..{Z....o...+(Y...*z.{[....{Z....{\....s]...(^...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):710192
                                                                                                  Entropy (8bit):5.960733432365752
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:bBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUk:bBjk38WuBcAbwoA/BkjSHXP36RMGt
                                                                                                  MD5:2A9525F27730CBF9E7145AADE4CDA830
                                                                                                  SHA1:A6A99E02599656DE1C7F51B02C84BBA8AAE0346D
                                                                                                  SHA-256:29D0073080509DB7F3F20C47980A1347CC4139C5F2E26C9C160AE67CE5EECB6E
                                                                                                  SHA-512:DDDEEC7AA9D3F9E6187718564AE1A447FCAB12EC2DCBD26EDD87217B4815C274A6BAF90A027766FCC94815C762ED9BFA8D0DEF6C1B2F84279DED9C66852D381E
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ...... .....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):277040
                                                                                                  Entropy (8bit):6.190626027944278
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:rSOIleacQlBh2YQMoIBhpq01TLvlj9b6gRZNsRYA:suQlBAMW0BvltxZ6B
                                                                                                  MD5:4ECF017FD71CC84A4CBAB7507B8634BE
                                                                                                  SHA1:2343F37490F9A11F5F0878A1553F0FAF504FE062
                                                                                                  SHA-256:871D9403D045F94FC433907E49B68894764FCAF81E12FBDE2AC7A08642DDA32C
                                                                                                  SHA-512:5FCB9BDA9C857BA1AD2EC0B19AD109AC54BAC91B8F8F00968560623C8AFD01FAEE1078F7C76010C7526A37C46EE0DB74A0E0DB151186F8FB220105F7091FA69B
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............'... ...@....... ..............................>.....@..................................&..O....@..L...............0(...`.......%..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................&......H.......L[......................`%......................................^.{....,.(:...z..}.....*^.{....,.(:...z..}.....*"..(?...*"..(@...*...0..,.......sp......}........q...s7...sj....{.....(....*.0..-.......sr......}........s...s7....ss....{.....(....*....0..(.......st......}........u...s7.....{.....(....*.0..'.......sv......}........w...s7...sj.....(....*B...ss.....(....*......(....*.0..'.......sx......}........y...s7...sj.....(....*F...ss......(....*....0..Z..........}....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):149552
                                                                                                  Entropy (8bit):6.059724018456156
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:o/S+nps5/3oat9QrwQmUgs0giOBDQntBBGBBKBUkBBXBBgBBFBUABU1BB0BBBBgB:o/S+nps5/3f9Qrdd5EtBBGBBKBUkBBXh
                                                                                                  MD5:2FF31980FD256EF1B1E143D4699BB727
                                                                                                  SHA1:608A21DA2B243E63DAD9E36EE84BC38C921F8E77
                                                                                                  SHA-256:F34AD6FB7847A85ADBE1492C783233A8A32BB5E96972FA3738538CE20513F682
                                                                                                  SHA-512:2FEF83A7668D190297863592FBBC8E766042067138C3A163771CDCF1FB284BC8162EA6B7B958CB076B6AB654216B855324AE292F78931C47EDC33B52376943AD
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.R..........." ..0..............3... ...@....... ...............................5....`..................................2..O....@............... ..0(...`.......1..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................2......H.......H....1..................81.......................................0..S........-.r...ps!...zs".....o#.....g...%.. .o$......+......(%...,...o&.....X....i2..o'...*..0...........-.r...ps!...zs".....s(.....~o...%-.&~n.........s)...%.o...(...+o+....+X.o,.....(-...-.r...pr...ps....z..o/...&.o0....3(.o1... ....(2.....(3...,....o&.....o4....o5...-....,..o6.....o0...,.rK..pr...ps....z.o'...*.......F.d.......z.-.r...ps!...z.(7....-. o8...*..0..U........-.r...ps!...zs9........+ ..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):27184
                                                                                                  Entropy (8bit):6.334370226233819
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:Bn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCw:BnvXYcIh6yFIFBYpc47Hxn
                                                                                                  MD5:A964D6B5F323E343E884A1E4EBBA21A3
                                                                                                  SHA1:41FEA32C2FCC56070CF904AB441019F963C83ED5
                                                                                                  SHA-256:0214D2C78CC1DBE92853305FA12119BBE09EA06B5EB9C4B4E7AD76B6FAF232ED
                                                                                                  SHA-512:3E93C094D3B9D77BAE9C1725B452743FDFA0A20EB07FFC50EA861C501821710A2C29197CF43DCEC1BF089A5BC9B8F2BF57F9FD0EC8D9805D00E32538D03CD46C
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):73264
                                                                                                  Entropy (8bit):5.955083228632948
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:R784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRX:R7N1r9KGI04CCARLX
                                                                                                  MD5:FA432B69828C0F175E44B367AF91ED2D
                                                                                                  SHA1:C0E72D5C64E9B560311EBD1EC3A35CED46386C78
                                                                                                  SHA-256:6718AFA55EF89805B69360C9E88347A39CC302AB3C16590E78136C20DB025613
                                                                                                  SHA-512:E0C54D9126C557C24013486A31D5477EFF2B800ADAE472C3103EE1F1CD527546E6DCEFB19D5DCE602AEE6DA7A0290F413CE2C6C09DF28D4333C4E62510FE2064
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\log.txt

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):639
                                                                                                  Entropy (8bit):4.863655437170165
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:p2IytXEH2Iy6XEOMrDcOMR4ECuZDAuQXVvrQgKOsYw9r6KJuY5ur6KJuYrC4gKL:pmtXamW1Oc4E6umdQNOsp3wL3wiNL
                                                                                                  MD5:E61B2E16FF20084E7A8C1ABA863893ED
                                                                                                  SHA1:6D45DA7B64F700931F78D83C3A4EA8AD60E8F64F
                                                                                                  SHA-256:DBAF65941EA19F3BF93DBC4215DB67B2EEC4FFF25C6FCE74DF1E27FD5EC54101
                                                                                                  SHA-512:EB05DE985C703BF35CE9C9C6BECB1508FC86D9EB42A7C121B31C0723015B381B17C153A1D0260A0829F6D1ADB10D68401DAD60DF91B86F555FE8D526971D55B7
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:15/08/2024 18:35:10 In Program static constructor, before instantiating _logger15/08/2024 18:35:10 In Program static constructor, after instantiating _logger without using _logger15/08/2024 18:35:11 Starting Main(), logging without using _logger..15/08/2024 06:35:11.111 pm: Info: Before PollAll() call written at: 15/08/2024 18:35:11..15/08/2024 06:35:14.018 pm: Info: In PollAll() before Poller.PollAll(false) written at: 15/08/2024 18:35:14..15/08/2024 06:35:14.080 pm: Info: In PollAll() after Poller.PollAll(false) written at: 15/08/2024 18:35:14..15/08/2024 06:35:14.158 pm: Info: After PollAll() call written at: 15/08/2024 18:35:14

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring.zip

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3585011
                                                                                                  Entropy (8bit):7.9999193745697
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:49152:PifnPfXNZMNdg2I1fVkjUhN0ToFwQGw8tQRSm90p13l95Ogl5xs35F7gzzTaCzZw:PSPfadg2IIj+N0TK7SSKjUglopWD/Py
                                                                                                  MD5:25EE719E8A32A0C5DFC57A5923FE32F2
                                                                                                  SHA1:F48E0549F5F05476EB780E78F7840A98B4375193
                                                                                                  SHA-256:A5CEB8392D19691CFC565D6DE595D829D474B9B095557A55C1D11BA475E82836
                                                                                                  SHA-512:A7483CDD47E71AE7570AFF30D2EC9E8017DFE5BA6488A8E14B538912A0E3AB286BAF764A13553D30170D874C5F14EA524C5D878131304C74838AA8E0952A2831
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:PK..-......i.X..J.........1...AgentPackageMonitoring/AgentPackageMonitoring.exe....0.......(m......%..Q..a.x....EPwA.}.Qq..I..u4..w.J...^.........p......+.`.......'7...F........r.M.{.Cw......4O..0s.M(N.p.Z.@u..h2......]%......2..8a.9.^oG.......\Ul.......hC(.......nE.......l.c*>y..U..l.a.......z`.q&:..?....{m...H..B...=..6y.y..O........an.f.1yzT...2...jA....3r....R(..w.K...`.8:..y...%...e....%.....s4...G`!....w.'~H.E....6:mo...r..<(}r...TF...^s..`'.*.....~^l..l... ..<|.a..%C....t......#...X*j....7.L@..`=...... ....3WM.......O........F.E............xE.]....i@"....5.nM...,dt"E.Y=;vj+Z.].U.<h...*.0=}c.....S(D..jK.....o.t.1I...p....p....k.M..OPo.L8.......kr.VI.N'..mN..I..7/nl..e......h.{....\.c._.lR.%..3....Pj../...D..@.......%...1.AP..W.>.,..t.bWB.Ko_.9...$.}.#..1T..F..H..UL.....5.a....S..&..de.;=A.u...W...Y..}.A.T@.\.kN2..6h.c.... ....DB.PI......6..$1..$.C.....&...P..B.%.,.H"..D ..hx......h.^.c..&P._..@....../.q....q....}.....6... ..n

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):396336
                                                                                                  Entropy (8bit):6.250697507262227
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:1fXwAmmWkxZjUCyC6ulqODyu+1QsF9K7SCHp5ZuI5MXd0XjkcdvCtUovOz6E8DnB:1fX7bwG6ulqJZaS5kzdKtUYOzMu2h
                                                                                                  MD5:B50005A1A62AFA85240D1F65165856EB
                                                                                                  SHA1:EEC370FA998AFCD06227DCB1BD5E6E2D36073693
                                                                                                  SHA-256:1867CF4FCB38F7E7FC98DDAD180C26A717360DF688A8EABD9F325FDE3C16F5BD
                                                                                                  SHA-512:63E664A8C12F27EF4C273330A8CE322CEACF12649C2BF61617ED8E394C43BF2CCAF1C2A14E2CE8807C11CE5EDD653FC7F942D0F4919923B37E1174A67393DBC4
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....5..........."...0.................. ........@.. .......................@............`.................................J...O.......(...............0(... ..........8............................................ ............... ..H............text...,.... ...................... ..`.rsrc...(...........................@..@.reloc....... ......................@..B................~.......H........-................................................................{'...*..{(...*..{)...*r.(*.....}'.....}(.....})...*....0..Y........u........L.,G(+....{'....{'...o,...,/(-....{(....{(...o....,.(/....{)....{)...o0...*.*.*....0..K....... bHQ. )UU.Z(+....{'...o1...X )UU.Z(-....{(...o2...X )UU.Z(/....{)...o3...X*..0...........r...p......%..{'......%q.........-.&.+.......o4....%..{(......%q.........-.&.+.......o4....%..{)......%q.........-.&.+.......o4....(5...*..{6...*:.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1459
                                                                                                  Entropy (8bit):5.033662307409642
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:2dErdGPF7Nv+13vH2/nVhOXrRH2/d9XF7N0PH2/+w39XF7NQ7uH2/F9y:cErU7h+1/gn27Rgdz7Eg+w3z76agFw
                                                                                                  MD5:C6ECF24757926EBA64E674BFF8B747D1
                                                                                                  SHA1:3A46083826C20E8E085C42BBFDFEEF4F9E2B90D9
                                                                                                  SHA-256:C3EC04142C15B0A237E72CE1C3C85D19CD1231B9824F7A9854E7909A74B7BECC
                                                                                                  SHA-512:EFABB9883ADB098A90115E8938C92B76BBB8D2EB5DE170ECFA205EE949A2D722E0F97F6E01F9A71AC8B5FA2108B9FF82FA0171759D50E30D0AB5FC1948BDCE15
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.ini

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12
                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:WhW8:W9
                                                                                                  MD5:72133F8B7A6B747D14AD3D4BFF8CA002
                                                                                                  SHA1:476623D1CA063E5F7836DEC97384F79E9DD04786
                                                                                                  SHA-256:531EFE3FB7CACBC23B12FBEF7B426A3EEF4B4ACA64C20DF7637F4ABD46CF1FC1
                                                                                                  SHA-512:4292C7513F4843543FDDA960271E060648C7690AB48477FCE27C00220F5216FC813114078E64886AADCDD5FD42AD96DB447856C11FD5954D6B1596B744CD5F2C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:version=36.9

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):102448
                                                                                                  Entropy (8bit):6.190419076161021
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:OPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OL87Hxc:O2bYbYSWd85I5sSakFQhHL8G
                                                                                                  MD5:F64F56F2E4DFA797D5CB4B1CBA08644C
                                                                                                  SHA1:3C2DCA64758145239E2AEF45E05CCF6BF9A7FB8D
                                                                                                  SHA-256:F23BBB31DD11D74343840FF81E37F73FB891DE7E8C6596AEED2C405DBA97CFA0
                                                                                                  SHA-512:19181FCF32B176E9D24677DF8D740D5226F5A7D044DFB24725645C951F4F7682D9CA521F62E2420C814EF177BD20F0C470B54D1C710713F75ECC7F58F7C30CCA
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ..............................o.....`.................................`}..O.......8............h..0(..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):95280
                                                                                                  Entropy (8bit):5.996740439887868
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:t4aRSNSrXS5EaKoDMsUVl0HAWMco2bJkj87HxsN:t4auS7S5Ea6WMcpu8I
                                                                                                  MD5:EF30D465678A904C773B58CC3B1AD66B
                                                                                                  SHA1:D08C5968C279790EF2D10BF2FFC1F2DE937ED4DD
                                                                                                  SHA-256:A5FAFA659C8CEC0FF892405939E3BB32269845D4509763ADD219C15E7D2A8710
                                                                                                  SHA-512:521E64502F81A789DFB6D4FBE545F76DFE32C7998222CE3002DCEBCE5550D60AF6F29C30F9A4B8B888639CAEDB8C718BA34D88BCCA782EF13E8CE3A81ED537BD
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=$..........." ..0..B..........b`... ........... ...............................7....`..................................`..O.......4............L..0(..........h_..8............................................ ............... ..H............text...h@... ...B.................. ..`.rsrc...4............D..............@..@.reloc...............J..............@..B................A`......H.......Lh................................................................(......}......}.......}.......}........o<...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po ...o....*..{....o/...r...p.(....(....o%...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):75312
                                                                                                  Entropy (8bit):6.240212933460331
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:Su2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrY1:fF+qo7mDEwj4NXLGcfgruFcg7HxRv
                                                                                                  MD5:E307CE14EC46071E8D18B6E281A4F955
                                                                                                  SHA1:2AA8E6FFF7346019682148DCBCEF44F72ECC4982
                                                                                                  SHA-256:E1E9378C07B6783755D1CB46115A1791651588BD172BD535630C306198D384A9
                                                                                                  SHA-512:2D7A23FF1D4837FA51E9C93FA0FAC0CE4F5C7744DFED28DD87C75CFF550DA121D0383F488316FF056E60C1068F59A3634E0B09D62065271B1773B73E99C54D4F
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`......9.....`.....................................O.... ..................0(...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):51760
                                                                                                  Entropy (8bit):6.407791203959866
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:GQMnMYPWMXMwtKsSdj3xn91SPSvwzE8Kku6P3A+wf+bMEpYinAMxCkU:G9MYPJS/16/E8/3A+++bF7Hx3U
                                                                                                  MD5:A36553BAC1F9CBF5ECBC13F7BB830E7B
                                                                                                  SHA1:2BDACF2F0FD7ED5F3E62E4888F0A9034E8882BFE
                                                                                                  SHA-256:CC527E9A3E527C9907D1AA00564057D070BA9B269B9FB2AD8D0F3DD380CBD3B4
                                                                                                  SHA-512:9B3CD927725CCA3B2159F91406EF472506348BDB9CF1066386E1DAD1E9C2C4F4A72BF7A936AC9694F259C9F73AFB71B1CC37F9B5C0B1FF3D0259D1B9BD3214B1
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D............." ..0.............b.... ........... ....................................`.....................................O.......4...............0(..........$...T............................................ ............... ..H............text...h.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................B.......H.......|E...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):155184
                                                                                                  Entropy (8bit):6.247738832262604
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:T0feG0EI+t80zE04kjSnY2QJ6lwZaBsEFmWF+Ykt:IP80zukOltwWk
                                                                                                  MD5:CE4E3B687617A7C94D73539DCD89FA73
                                                                                                  SHA1:4C6519693D081D9F03503AA5CA3312C41DA3F981
                                                                                                  SHA-256:DF753760463622BBF573AD25AC4B5184727D1F232FF68A17A1601F39377DBB76
                                                                                                  SHA-512:FA0C76247E05C1577B767373DA659A4876B3B39DA20D3D0CE8A73779306C66FD3A2A032DCD47D11A79F1A1A2A93E242651F8650934CFB98C10D4E50F111F8F90
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%%.W.........." ..0..............M... ...`....... ....................................@.................................lM..O....`...............6..0(..........4L............................................... ............... ..H............text....-... ...................... ..`.rsrc........`.......0..............@..@.reloc...............4..............@..B.................M......H.......d....G...........................................................0...........u....,..s....*.........*Z.(....u-...%-.&*o....*..{....*..{....*..{....*..{....*..{....*2.(....._...*2.(....._...*..{....*2.(....._...*...}......}......}.......}.......}.......}.......}....*>.........}....*..{....*...0...........o].....o^...(....%-.&+..o_....(....,...(....o`.....(....oa....(.......(b...,...(.......(c...od...+"(.......(b...,..(.......(c...od....(.......(e...,...(.......(f...og.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):215088
                                                                                                  Entropy (8bit):6.03083318319815
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:m1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7sV:5Izm6pOIgvr7s
                                                                                                  MD5:A58985E020BB24EB28C965043EFBA9F5
                                                                                                  SHA1:709CB8780E30484A788EF6EADB8B76D30491F66C
                                                                                                  SHA-256:1AAED0562F7379F1998E50A9C0F8CBCFCFEE65FF2EF3C5DE2ACCD56764418385
                                                                                                  SHA-512:291CBFB3A468DA06CAA0D02B04CE5109EA3EEBDD1B4B0918D9AE45B7DB9FBEAE6842B35D4C9DF99373CAF54DFBED714577C959BE2C9DD9AA92FE2774860842C8
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ..............................HW....`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):354352
                                                                                                  Entropy (8bit):6.153514122272104
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:+r/iEF3zTxesPlx5zIAUH+2n8G4smIkuxhnCq7a/ZmvYy:+hpp9xxIBeXGfvYy
                                                                                                  MD5:B2F1B38E6DFFE1FE761A0865392161ED
                                                                                                  SHA1:D9196465705125A228494A28D5CE3F3F2C7BDB36
                                                                                                  SHA-256:8E958FEA067350A1957FC9E4F3052A1B8D28AB95D4E26A072BCEF0794FB8A398
                                                                                                  SHA-512:6E4B6BB945EF698F4552E229E6CBBB615060722D2D1E8F5877200C37C4EEC8AD683C61DA701CB9A09C79673ECA96AC8CAFC3FDF70BACD2C5507C4F0ED78BC1E1
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.Y..........." ..0..8..........nW... ...`....... ..............................J.....`..................................W..O....`...............@..0(..........HV..8............................................ ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B................OW......H.......`...ht...................U........................................{*...*..{+...*V.(,.....}*.....}+...*...0..;........u......,/(-....{*....{*...o....,.(/....{+....{+...o0...*.*. S]G. )UU.Z(-....{*...o1...X )UU.Z(/....{+...o2...X*.0...........r...p......%..{*....................-.q.............-.&.+.......o3....%..{+....................-.q.............-.&.+.......o3....(4...*..{5...*..{6...*..{7...*..{8...*..(,.....}5.....}6.....}7......}8...*....0..k........u......,_(-

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):883760
                                                                                                  Entropy (8bit):6.071481963565208
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:V1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQU:V1n1p9LdRN39aQZUqF
                                                                                                  MD5:CA515F4F34826F5ED5A8FB7D3259FEFF
                                                                                                  SHA1:D31158793EBB4E0CBE957158F2E42754CA826A29
                                                                                                  SHA-256:5042E33133E0422F51382C273153295DF814E5CC2FF2A4FD0D973B4AF54D4933
                                                                                                  SHA-512:1336E658AE6097598F3508424085AD288AF4B60D4FDB821A10BAC712492652F7BB06F3E53556CCBB7425A63ED48B53D368481D1F142E6B58FF7C4789737A3CFF
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ..............................n.....`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):710192
                                                                                                  Entropy (8bit):5.960477572931558
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:hBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU/:hBA/ZTvQD0XY0AJBSjRlXP36RMGK
                                                                                                  MD5:EF06D200D340C9798A006F304119BA82
                                                                                                  SHA1:C08B838DAC97CD1376D934FB5ECA982BEB19D493
                                                                                                  SHA-256:88C838B4EEDFF929AFDABA2BA808775B1979C5C9BD7AAED36525CB1A41D8A8FD
                                                                                                  SHA-512:E67597F90A504A1B7C6AE838C8F82BF9928D49B22E896592623E9473147F8C05B974E86567E40D93D9C59602843A532034ACF5BAD2EAD78962AC2435A63E80A7
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... .......K....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):293424
                                                                                                  Entropy (8bit):6.121578040837099
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:vdmT7N9hXNx16L/kakZieD2C6gVkRYKn6nUa9K+yt:vdc7N/WkQHr64t
                                                                                                  MD5:C329213E3BAAC31E55B7E57C9B5692C1
                                                                                                  SHA1:C858EFBB991254A929A0D7BCB1087628501E6DC7
                                                                                                  SHA-256:38C66E322E92172722E36001F2C9E6151655CFFDA8D78BA730B1878FAD793FF6
                                                                                                  SHA-512:C86F49F789B40E4EEC295CB652CFC63FD5C87E51029AF975AFEFA86C57BB6A9E52DAD54993FB7186ECE73BA905EF43C50E11B85F221EBC59698D8E1845FA90BC
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:.d.........." ..0..H..........rb... ........... ..............................`.....`................................. b..O.......$............R..0(........................................................... ............... ..H............text....F... ...H.................. ..`.rsrc...$............J..............@..@.reloc...............P..............@..B................Tb......H.......\....V...........................................................0...........(......o......e...%.r...p.s....}......}......}.......}......{......e...%.r...p.s....o....r...po.... ....(.....|....(....-.."....}......{......e...%.r!..p.s....o........(....(....o.....(......(....-...}....*..}....*..{....*..{....*..0..a........{......W..}.....{....,..{.....o.....{.....{......e...%.r!..p.s....o.....{.......(....(....o....*..{....*....0..Z........{......P..}.....{....,..{.....o

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):277040
                                                                                                  Entropy (8bit):6.190744437011799
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:qSOIleacQlBh2YQMoIBhpq01TLvlj9b6gRZNsRYE:luQlBAMW0BvltxZ6h
                                                                                                  MD5:D6F46A4CB8CEB824CD1763B62B8F71A8
                                                                                                  SHA1:9FA3A8318D93CBDA86D2843B0783CDF0E7B28D92
                                                                                                  SHA-256:66386C99B4BCF568C95E93B11E5E89FC78556924C5BDAC9644BCCA7B04291542
                                                                                                  SHA-512:4B720C78E8B3316EAE4FD0BE2499173246AAD3896ED7AF76124A8E565977C27197C73D61474ABA34264F18D5C4BCAF1B51070484CE093814E3CA6C2804AE419F
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............'... ...@....... ..............................f.....@..................................&..O....@..L...............0(...`.......%..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................&......H.......L[......................`%......................................^.{....,.(:...z..}.....*^.{....,.(:...z..}.....*"..(?...*"..(@...*...0..,.......sp......}........q...s7...sj....{.....(....*.0..-.......sr......}........s...s7....ss....{.....(....*....0..(.......st......}........u...s7.....{.....(....*.0..'.......sv......}........w...s7...sj.....(....*B...ss.....(....*......(....*.0..'.......sx......}........y...s7...sj.....(....*F...ss......(....*....0..Z..........}....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):284208
                                                                                                  Entropy (8bit):6.117480150640407
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:PZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHNS:Rgo0WPVTXgg
                                                                                                  MD5:74DD74986D9708CFA8F4B4F0D005B604
                                                                                                  SHA1:55C85D2BD0ACD3E14ADF6D442670BC7F3DBBB803
                                                                                                  SHA-256:7100B1A666B0AA99EE5036E23ACC1BA3CFF2E7B2C73A2EA72F5359374648349E
                                                                                                  SHA-512:6CA3A9F1D10B4C492ED4902631C38F81001BDF256014148A7628166BF1932BBBC9DDA570A295C99F918818EFBA28C82D1E33C1532A2EA8163027C14351CC4ED3
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ...............................0....`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22064
                                                                                                  Entropy (8bit):6.679229646565206
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:3y/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqUeaT:3uhMaVmzDC67EpYinAMxCuT
                                                                                                  MD5:A4EFAE23A302EE53F0A81FF5B3523292
                                                                                                  SHA1:EBB0ADFB9771F4CD61A1D0A9CDFE16CE5621A304
                                                                                                  SHA-256:D1D0C53044B2BF85F5B19CAF709BEFFCED51397AE94C37F14EB94E915C6446DE
                                                                                                  SHA-512:E77C1CEB40F69342C742AACB07016EA6ED5AFB36949E00E85663EA15996C62E019959FDD44E9E0D468C91DBD89CC8EDE10CCC9F242DB7D6C87D2A6E24E6691FE
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ...............................3....@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):409136
                                                                                                  Entropy (8bit):6.098144476210718
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:qPaYZ6henFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFJFpcNcHc7cbchFFc5cbc1j:06heZBJm333M89QAy
                                                                                                  MD5:D03824AAFFA4923C80E6D8B716D8430E
                                                                                                  SHA1:06CE0C7BAFB16D3E92B35444467DB7DE0A6C7C84
                                                                                                  SHA-256:7782C0F86CE42101799CA9828FABA1798230734D17990637040DCF15F3617644
                                                                                                  SHA-512:59A04EFE8423402F57896ED8D70419ADDF52309024606B35E485E051D21076261098DCBE5F7AA7CE5F8BFC93BE992E94A1AE07102F810B9B1E020529C52475E2
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3.c...........!.................+... ...@....... ..............................SO....`.................................H+..S....@..p...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B.................+......H...........tM..........PM..J...P .......................................6K/.%.L....7.......2.x..`..P.k:k.......0\W.j...;..xX.~..HB..S@.$.m...)4..<S1...C.Y......#ku.k&..2<..i{..>....U...s.'{:.(......}....*..{....*:.(......}....*..{....*r.(......}......}......}....*..0..5........-..*~.....o.....X...v....~.......o......o .........*6..(....(....*"..(....*.0..T........~!...("...-..-.~#...*../....+...X....($...-..-.~#...*..v........(%...~.......o&...*Z.~....2..~.........

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):51760
                                                                                                  Entropy (8bit):6.2347643754291555
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:Yzpj9H0/bvvmNAkkOMo/23e3vggrkrD9Bxjpm2yuIFLlHTUpa/hDXEpYinAMxCWZ:YzpjF0/t043e3vggr83jMYa/hU7HxVZ
                                                                                                  MD5:520478C4C71D99D43989786250EB4763
                                                                                                  SHA1:748AB4CFCCDB28B46E8226115C88681F72C033FE
                                                                                                  SHA-256:9708914775950619C1F13B1871CAA6FA7874891985E249F82AC60862C68746A4
                                                                                                  SHA-512:1C851D77617A8059491A1F02F81A27F8AE19CCF6EF925F63301F2C20B190BD35CFD60858121F7BA57301684A4685C87F25089040A67D1EB421A4B82AE8403B03
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.................. ........... ..............................e.....@.................................X...O.......................0(.......... ................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........J...g..........p...0.............................................{!...*:.(".....}!...*..0..#........u......,.(#....{!....{!...o$...*.*v ..yN )UU.Z(#....{!...o%...X*....0..M........r...p......%..{!....................-.q.............-.&.+.......o&....('...*..{(...*:.(".....}(...*.0..#........u......,.(#....{(....{(...o$...*.*v ..:. )UU.Z(#....{(...o%...X*....0..M........r-..p......%..{(....................-.q.............-.&.+.......o&....('...*..{)...*..{*...*V.("...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):138288
                                                                                                  Entropy (8bit):6.179821808998386
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:+P3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IlY:+h0qjC5RMOHO420kN1j
                                                                                                  MD5:684D6E74002F9691D8CBCB135B6717E2
                                                                                                  SHA1:9FC0F5E7AF66ACD2BB0316BF28E9CC0201037EE4
                                                                                                  SHA-256:B6AD62636F7224EE73ED95D2E14EB089C34D40BFD2BE21A4C9B02D34CF3FA3E3
                                                                                                  SHA-512:76710039C919E70A551E7768C230732F71A069DA34B8BDB7B9D2B853FA9001F3D37952A90E47373F53C8D323E9CAF6726F319FEBA632C2E98F5E06716B1C8EDF
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`.......M....@.................................3...O.... ..0...............0(...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17968
                                                                                                  Entropy (8bit):6.673219933457599
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Rh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBAj3IR:Ry9eEpYinAMxCAcW
                                                                                                  MD5:ACFCB0A7B3FD1002A8FCD0FD5D65F734
                                                                                                  SHA1:8507B9A8EE31430F75678470F5FA06337A76A5E5
                                                                                                  SHA-256:98A4333A188E2E88F115C5F8DDADFBED3924900C1071E3226FA5B16E22FFBCB8
                                                                                                  SHA-512:29301D054651817479EDD71E80BA4FB2E3CA449A70D7720017DAA3CF6EA2B1390E56EF763C9C9A97D099A0464439923F48D99AB0EFE2FB8B3308BDFBA7708E9A
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ...............................[....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):27184
                                                                                                  Entropy (8bit):6.334413974319615
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:Sn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCW4:SnvXYcIh6yFIFBYpc47HxN4
                                                                                                  MD5:0362AEF9DA024E41795F98D8B888E955
                                                                                                  SHA1:53FC9E81D01A7C97D57B9E9ED9A3872EF1E81F74
                                                                                                  SHA-256:FC5600A53DD80910B63651E9C5B3B0CA82AA5C53529F4AA0964D21BDC4C64F3A
                                                                                                  SHA-512:F65C8EAB66C5C088FB85F16914D18ACB0E2B9B201BD37C5D30B8B0FD2DE2D0AD48C74912C4293ABF611A6A64FD76B3B9B61502993C9EA680723B22A3ED88A612
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:modified
                                                                                                  Size (bytes):73264
                                                                                                  Entropy (8bit):5.95553243429679
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:R784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRv:R7N1r9KGI04CCARLv
                                                                                                  MD5:F25FC027F62B2075901A6677EF81DC17
                                                                                                  SHA1:A7DAC5819431ACFFF9E91BCE7C6371B2A00507C5
                                                                                                  SHA-256:39CA7203DE9D6D026F5F1E27F00A5CA28133C0494E6F2E3ED55DD2F4F0893238
                                                                                                  SHA-512:2E51930198A5DA863A4B718A3772E88532EAE7C0E2C432618B3306F40AB141B6E7435246FE578AB7CABBA4A6BFC674F690484A27793965A6FBEB542F66BFBB40
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`......C.....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 12, database pages 12, cookie 0xb, schema 4, UTF-8, version-valid-for 12
                                                                                                  Category:dropped
                                                                                                  Size (bytes):49152
                                                                                                  Entropy (8bit):0.9021424540703156
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:2u5C4OoNSN1eN+5NmhZDzWL8OO7QzyO+p:D5PsveM5+tzy8OO7QzyO+p
                                                                                                  MD5:655D19A901D9158087BB1FBF7D02CD70
                                                                                                  SHA1:ADC493DEBD78860BADEC650CABAAD6EA9C365F93
                                                                                                  SHA-256:CE1D1AD1A7800833F6DD85DEAE4FEEF8978B01F725549BF833F26901BD74B51B
                                                                                                  SHA-512:C7317DA9B9518E1876384972A240133247665F5609A163C9DE67112B9B75D4010CD5A58BA576A2D4EB0E29BE08CD29156935B93100F69E17BA8FF9889EFB7C27
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:SQLite format 3......@ ..........................................................................c..............Z...?.j...I.:..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db-journal

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                  File Type:SQLite Rollback Journal
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12824
                                                                                                  Entropy (8bit):1.3824329350040103
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:7MeqcFu5C4OZUlFJNGdNGveXXQXN+5NG1ZhY:7v/u5C4OoNSN1eN+5NmhY
                                                                                                  MD5:2551DBF9D4A696D715C484CEC3557211
                                                                                                  SHA1:164BA34B3AD0813748F90EC02A2F8A4425490717
                                                                                                  SHA-256:B53C78189A58AA45267778B6E09D612FA7BFCD544E652C79B51C93DDBFECA2FA
                                                                                                  SHA-512:90CA8BB168061401647A23993B9E24B8AB13D7FED79D20C79DA5948386A4D5F30C1B483D16390821CED7FA27C543A740B23D84A404F88A4012F3C415201ADD0B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.... .c......Wo.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1799216
                                                                                                  Entropy (8bit):6.5204766374461345
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:JuvfmOhyS2RuhV0yGzcuHpRs8ulCfUk+qKuMhUwqPevJ8QNYfjmqBBLbNFEohFYm:oHmUMohVWpu8ul0UkTgNCfyo3d
                                                                                                  MD5:D066C090D3416A1D082902E0A7EADD06
                                                                                                  SHA1:57B66D2450BC314003510657A6309F9921081EF5
                                                                                                  SHA-256:820867ABD8E1D48A769C6D8F8D8626CB2D9E492D71ABFB47F4BE7BEDEAB93C6E
                                                                                                  SHA-512:F0839808A716ABCF4BB392E4BB1B2D664D004FA519048C94FBA9623481DA87FE023DF94619A184E0F7F91DD02F63BB8FAC1013D09894F000661F438EE631C4C0
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............g...g...g.>.....g.>...B.g.>.....g.3.....g......g...f.^.g../....g......g......g......g.Rich..g.................PE..d.....c.........." .................n...............................................P....`.........................................`t.......e..x....`.......@..`....L..0(...p.........8...........................@...p...............`............................text...$........................... ..`.rdata..............................@..@.data...0........z..................@....pdata..`....@......................@..@.rsrc........`......................@..@.reloc...,...p......................@..B........................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1475632
                                                                                                  Entropy (8bit):6.7918990024107115
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:BS3uuk58wXpQous2GCzbHwGTzsIDQAKub0MBsIFBm5fi/5ATA9NTTPjXWJD8q6:gdwXpQdNVNDQubXyi60jXTW98q6
                                                                                                  MD5:E0C12F374C3CEDEED79A92B5279F838B
                                                                                                  SHA1:0FC4F192B32E9FC6C9FF24B9CB3129CDD925C845
                                                                                                  SHA-256:44FCAED823205977E5C1F6654C66EB9F51351F10B572CE6E914F4866B6D7B433
                                                                                                  SHA-512:AF965E825DC88BDBE35B9E7FC4A3FE360E9DE7751EE074E899BBAEF00FAD5158BB9E7A023D5FB79F0562BA4A30648A15C6B4AF363239B82FFC0F72C12BFB1095
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.rG^.!G^.!G^.!.._!d^.!..]!.^.!..^!.^.!.))!O^.!Y..!D^.!G^.!.^.!d.B!F^.!!.Z!F^.!!.Y!F^.!!.\!F^.!RichG^.!................PE..L...r.c...........!.........*.......:.......@......................................_.....@.........................0B..:....5..x....................\..0(.........pB..8............................1..@............@..0............................text...p-.......................... ..`.rdata..j....@.......2..............@..@.data...tt...`...T...N..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates.zip

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2898016
                                                                                                  Entropy (8bit):7.99870723886616
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:49152:bhJujJ+8s8tJmFOZQseMG7UWhb7Bw+9Tk9Vx4kvKQReXZTR3H1JFEBh6NeboC:bujJ+GJMOisRsTxw+BUVEQReXZN3BEiu
                                                                                                  MD5:2E47FD6E7C5A7903B0FC0E2560585C99
                                                                                                  SHA1:05A0E44101BDC6B1EC954394ABCD50F44394BD7D
                                                                                                  SHA-256:3B9F52357457305F3D462BAB761CDCC760D95A08A20EEE3FBB1D293E22C501C0
                                                                                                  SHA-512:B66A2A551B5C56B5A26BD2D1F2E4B8F90CD7BB6B712A96C0F5C38BE7BF50A9DE871F3597B13A34943BCB8F79575E44289C5457A12AABE77C1FEF01BAB71540CC
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:PK..-..... B.X..U.........6...AgentPackageOsUpdates/AgentPackageOsUpdates.Common.dll....0r.......>.......YH...(..^..../..\..o.....Z.[.C .]....'...7.ym.qsSgc......[.e'J..e....R..XH.r..d..QU.|...A..2h.&.6-.....2.%.........fJ.p...My.f.].T..K.<;B....y..~...7.s.M..D..\m&..+..-.0.Z...[...@.M..a.....[?.n7.....f.5S.I...E..`..sf......._=.-..x.Ujc.oM ..5..g.....O..V.....fv.....LU..,~.fN....9..0.b.M6...3+...|o...4.GA.8z.........c.h...A$..9...sV... eB...T..8..$.......T.fN%..A.xn.G.....S..Q.x...z...z.+Tvx.!w.%...V`.?......W.)..*.$..2(.t...1m............D....o.B.....DUq..{...~."..[M7.$....8....Q....9...j}.P..)}.\.>..'.. D~.W.m...X.....3*. ^S..."3..Zn9=U.d..1).j..y..1u..p...Dm.<z.wC...J...^}ou..JxX..2.9.z.....w.x.:.:th...u.uE..0zC....N....+tw...=./.z.0@3|.H!.D7.......OZ.`Q.....E..A.k..wo^.....[<..{P.N....@....qs..x#.L.Q<..w~.F....{..<z...eLJ7?|O.s.(......E.....a/D6......P....N.O6=DuE.......*.......7..T.....\....Ef%..'..B...v...s.`w..&...3.I.m.8.W.2'......j....b

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):29232
                                                                                                  Entropy (8bit):6.341743761377435
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:spYIrBWGYPHEUePsnhkgGIW7W8feKWDpQNbo1JNyb8E9VF6IYinAM+oCMTKA:STrBL3Ue0FSTuKbo1NEpYinAMxCcv
                                                                                                  MD5:5E01CEC9F412D5A38D55F08655613E66
                                                                                                  SHA1:5EE3642709450161CD0A0142F3BBF80A1BB14FE6
                                                                                                  SHA-256:7ACCEAE6D205AD9CA29C72D02D3BAC335D33D06C428CCBA50BF33A4780EC832B
                                                                                                  SHA-512:9AC8B5AA7E7C9606205654933889215F29D7058B4932995412FF99706B318D44ABA98F38842CAD4CB9337BF9DD33D11598034DFE01AFF0B40E1290F0A08AB029
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*;............" ..0..@...........^... ...`....... ..............................{h....`.................................9^..O....`...............J..0(...........]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............H..............@..B................m^......H........*...2..........................................................:.(......}....*..0..X.........(.......o......-.....>....o......2.,..o......,..o.......{....r...p...(....o..........*.(.......$..........&...........88.......0..M.........(......-.(...+..8.o....../.,..o.......{....r{..p.......(....o....(...+....*.......................&&.%.....0..].......~......o......-.~.....o..........o.....o........{....r...p......%...%...%...%...( ...o......*....................0..O...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1919
                                                                                                  Entropy (8bit):4.980638040615789
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:327h+1/gYo27RgdSagFsg+w3jdgDSg+CagFw:K4cw9n
                                                                                                  MD5:70934BFD2D7659E71CA6A5476C0EB675
                                                                                                  SHA1:9B1611D52D3B15A3EF0A5DB4FDBEF94BBD107379
                                                                                                  SHA-256:24FECC645D7EF3A69CF81AD72DFC95CDFC4BB313FCCF77864C9A47C69B5DD928
                                                                                                  SHA-512:0FA54C94D4A52A95F4A002062CB858222EA64D4FD8E8EF51725A440CCE9F64514DE12DFD60C41435B3B8DBA4AB80363984FD8E8350B5A9B0B75EB90044F14324
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):197680
                                                                                                  Entropy (8bit):5.738768519079045
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:R0fBJtxHscCEdeLq5+zDwtwF3yaYx0T2tlwg5rPdZiqiTjXZ+V7c:i5JccC1Lk+CwRyaYrweLriqiTjJf
                                                                                                  MD5:D3DB1B40EB62C5E1ED9A8AF5065C7FCB
                                                                                                  SHA1:5193EAB51BB2ADD9995B59FE2FC890850163175A
                                                                                                  SHA-256:B53A2FDE3AB87516C5FFB885D8390DB4291B4A0AE979FB6158D22D501B9C4999
                                                                                                  SHA-512:2466A02D72C05429173A07AC23C824AE137FA501F0C5219CFA382A75CECF2B595EB88899271FBBC2B3329C9A7DF35701806C6A2DCCC49688A4059E79518A1486
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............."...0.................. ........@.. .......................@............`.....................................O.......4...............0(... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc....... ......................@..B........................H.........................................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. K.. )UU.Z(.....{....o ...X )UU.Z(.....{....o!...X*...0..b........r...p......%..{.......%q.........-.&.+.......o"....%..{.......%q.........-.&.+.......o"....(#...*..{$...*..{%...*..{&...*..{'...*..{(...*..{)...*..(......}$.....}%.....}&......}'......}(......})...*..0...........u.......;..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1782
                                                                                                  Entropy (8bit):5.026919218581437
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:3rrb7h+1/gYoSagFsg+w327RgdSg+CjdgDt:7rn44woR
                                                                                                  MD5:F0A8DACF41AED1B1084D1D5157DE3C8D
                                                                                                  SHA1:02D4EE2B81AF8E9626571EFDA122849B804CE29D
                                                                                                  SHA-256:09C69F2CCC14AD72805AB1360DB7D5AB486D99C5E55DC8B5F54695988811FF80
                                                                                                  SHA-512:A6F1E6BA01179DC9AFBFE04887C288142FEA9BD9A593E54977C7F050A0B0EEA96D26EBE3792038EAD56467AEBD325CF7904F3D2B4206B3FE40FB468437A6C4E0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <depe

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.ini

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12
                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:WhU8n:Wrn
                                                                                                  MD5:E9AF22B3FF345802876478A24261E3AE
                                                                                                  SHA1:4748C6ABAF4188E263BD09428A86FCC3A90581AD
                                                                                                  SHA-256:9DC1086381A133FD8EC88A4A93AEC1AE11D9D5EC6E024C43D12747E2D2CB7E37
                                                                                                  SHA-512:1875C4D097CC718E4C2EF0277FFDA4F9E56376B2EE280AC3570769D1C56EFBBC8451ED3D2558487816BB09E49298C18CAE5048386469ED592B7CFD4DE61625CC
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:version=19.2

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):95792
                                                                                                  Entropy (8bit):6.181929039762044
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:YQnbrNqoXFbuhpLHbTOgmAB4+n3uRw1FlQRd5JY4t5A56y0sDrUfUPrhZwLlf7HO:YQMiwLWgmAC+neRw1Hyd/YC+56y0sXUK
                                                                                                  MD5:EBFEC0451858E06C94E3C04ABB8F143B
                                                                                                  SHA1:50AB6CC44E2FC39C20179235D6159DC00628DE2E
                                                                                                  SHA-256:0B82075C65C102E785783FC43105FCB0F5D4DE6BF19E8C96EB00386303C63BC5
                                                                                                  SHA-512:E0BD59DBF13646228609596282DFF0495F8321A839263784091EB5DD59F6A3E787628E3A87E4F88CAAB3F11301E4820DE7F6BDA65297845CA0EE5B63BFF47AB4
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....K.d.........." ..0..D...........b... ........... ....................................`..................................b..O.......8............N..0(..........Ha............................................... ............... ..H............text....B... ...D.................. ..`.rsrc...8............F..............@..@.reloc...............L..............@..B.................b......H........i..l............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tQ...r...p((..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):95280
                                                                                                  Entropy (8bit):5.9966241796933835
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:H4aRSNSrXS5EaKoDMsUVl0HAWMco2bJkj87HxsZ:H4auS7S5Ea6WMcpu8Y
                                                                                                  MD5:C595E1747472EA7AC391F12BCC893931
                                                                                                  SHA1:D59FE9B8A56DBA868EC11F697376743E3F1928D9
                                                                                                  SHA-256:D2FB22CE7FFD674DE2A7C112AA4E25E759625F5D7E9D3CE9D5D3F03E5FB449A6
                                                                                                  SHA-512:82D5EF351ED1CFFDC8C60E29E55F3A9A506FD9E29095FF7E80416F48302F731A0FEF258670F3E5EDBDE91608CFE3AB399DD4C9910106649B67253E2D3FD0B930
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=$..........." ..0..B..........b`... ........... ..............................M.....`..................................`..O.......4............L..0(..........h_..8............................................ ............... ..H............text...h@... ...B.................. ..`.rsrc...4............D..............@..@.reloc...............J..............@..B................A`......H.......Lh................................................................(......}......}.......}.......}........o<...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po ...o....*..{....o/...r...p.(....(....o%...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16432
                                                                                                  Entropy (8bit):6.655281618539752
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:kXh+/DtYchNyby2sE9jBF6IYiYF8pA5K+oCGUHFeFl501W8agf:kXh+tYmNyb8E9VF6IYinAM+oCaF01bp
                                                                                                  MD5:EACD8E8CC64D8CF18176C7F54E07BEA7
                                                                                                  SHA1:76BE2A4F170FD657A1DEDD7AC08EDB5169FEC53D
                                                                                                  SHA-256:E81502C7A369F5C4F22871913303A3F5779D8149CBC815A65EFF2E177D3194E2
                                                                                                  SHA-512:B23E5E02F04A4C4A3331B96B82165B2C93BCDB49D72BEB082ECFEDFDFA4A17E846250DE09C40B5F2F3A2DEBF2266C42BF857536E62AB80405B3C510BCB37D1B1
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ....................................@.................................",..O....@..(...............0(...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):75312
                                                                                                  Entropy (8bit):6.241314253152225
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:cu2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrY8:BF+qo7mDEwj4NXLGcfgruFcg7HxRm
                                                                                                  MD5:E7955EB00219F6DF15595AF83E6B5912
                                                                                                  SHA1:DDA137F9934855AC01CBB6E642A3590B6D61F264
                                                                                                  SHA-256:904F044AD412090C9D781140C9EB24681F3E7F8977348DFD11B1E5127437B1FF
                                                                                                  SHA-512:42FEA5B98695F7BD014A20FD7735D29F5D8014A749F4AA2E0D5867FDCED2C8A6C4DD76723B5FB189EE5AC7F03659349A1C8873041E1E1428A9D3BFB9476672A2
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`............`.....................................O.... ..................0(...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):51760
                                                                                                  Entropy (8bit):6.4079299745036415
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:SQMnMYnUFMSptE7C+t2RO3neZN8752vwzE8Kku6ZFMLcyMmEpYinAMxC4B:S9MYn1seLE8JFMLcyMH7HxP
                                                                                                  MD5:99CACF67586A7852034EA978459D9CC1
                                                                                                  SHA1:886D48B997BCA6C1B4979AD987252DB057FFB5CF
                                                                                                  SHA-256:4A299B02FE5480ABA846FB3D6A9371A9A421D344CC73C1F4E089507E94399772
                                                                                                  SHA-512:6BC93871AF74795EB55793AF01315E2667B25E2BB1AF88A5EDB07EEB3D095BF0D328160D74D4E4CAD80E4B2D069C20B469398D000B1B21719BF8E0574C0DBA15
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............r.... ........... ..............................b.....`.....................................O.......4...............0(..........4...T............................................ ............... ..H............text...x.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................R.......H.......XE...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):145456
                                                                                                  Entropy (8bit):6.203986185627556
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:rRdbKQx0YYK8gwbUEA5xZs0vVV2yzlhXhYThkyFqhtuElLVwkVJe5K+Q7P6IlIhV:F9XeDmzV2yzlhKLFU1lLVp1+2flYFsI
                                                                                                  MD5:8CE7F0526F210C6AEDE0BADFC315CA39
                                                                                                  SHA1:F28D793C546C7E5A1EE31C175062B5D65D1491A6
                                                                                                  SHA-256:F43EB2CFEBCF3E88343F1D8AA63986E18EBE5786477A6D9C0D9FD5DD67C9FC61
                                                                                                  SHA-512:522F59BC331D65B4EF9ABCCA822CD1DF25654C2DAE9EAE0D842745693A5AAE70DD09B10A20DF27B87D84954FC037B93DFF3FF35107A3492D5E9F125C3C09B1E8
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nI..........." ..0.............v$... ...@....... ...............................+....`.................................#$..O....@..|...............0(...`......,#..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................W$......H.............................."......................................V!.b.....s&........*..{....*"..}....*..0..Z........(....o'...-.r...ps(...zs......(....o)....+..o*.....o.....o0...o+....o....-....,..o......*........*.$N......J.s,...}.....(-...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*6.|.....(D...*..{....*"..}....*..{....*"..}....*V.(....-.r...p*.(....*..(E...%.(....o"...%.(....o$...%.(....o ...%.o....*..(-...*..{....*"..}....*..{ ...*"..} ...*..{!...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):96304
                                                                                                  Entropy (8bit):5.634402313591911
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:l2kKfq2RQuKDMOoytxL2L4zP+YuqL2zL7SAaDx4lbOw6OhL7HxxJJ:GQmyxL2L4D+YZL2X7SAaqywjhLNJ
                                                                                                  MD5:767A640C2ED7D4599A2EAE5A707481D3
                                                                                                  SHA1:85BF386C7DE6B2A1FB074BF752E1C237D7996F6F
                                                                                                  SHA-256:2FA0CDEFF13FC33A899BC822FE9CD4AEEF051EA80853C2130107A8BB5DCFF2D5
                                                                                                  SHA-512:6C37BCD2B64D908B8EE891CDAB4CD129743BA51F01EA2F403BEECCEE861FF52EF95205C54BD37C9F8168F8AEB58D5BCDDB4425749CF68AAC2FC4A7A63CE0A2F6
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....W...........!..... ... .......7... ...@....@.. ....................................@.................................47..W....@..p............P..0(...`....................................................... ............... ..H............text........ ... .................. ..`.rsrc...p....@.......0..............@..@.reloc.......`.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):308272
                                                                                                  Entropy (8bit):6.107077348487476
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:bQ8wCKFMjHq9bRwkpHNddKmTtYZo4smxTC3LnXNXa35/ZmvYO:bFKFMFySZIBHvYO
                                                                                                  MD5:BB8BE1A7C7F254ED882DEF01E2520E1A
                                                                                                  SHA1:B84BE832C23F22F68CA6A75EA2489BF41C6647DF
                                                                                                  SHA-256:92C508D8330A9F560697D3AEED337A8CDB240D376440A6C83B6F5EACFC865B5C
                                                                                                  SHA-512:3E94E26A0FBD5873133CBF9FB8C8EA942113E56AE12C447D9447258604F4AAA27E9E0DB35A61ADD979B76F50AC8BB759E69C37729B1093530472124A8696435C
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\Q..........." ..0.................. ........... ...................................`.....................................O.......................0(.............8............................................ ............... ..H............text...@.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H..............................\.........................................{+...*..{,...*..{-...*..{....*..(/.....}+.....},.....}-......}....*....0..k........u......,_(0....{+....{+...o1...,G(2....{,....{,...o3...,/(4....{-....{-...o5...,.(6....{.....{....o7...*.*..0..b....... ...u )UU.Z(0....{+...o8...X )UU.Z(2....{,...o9...X )UU.Z(4....{-...o:...X )UU.Z(6....{....o;...X*...0...........r...p......%..{+....................-.q.............-.&.+.......o<....%..{,................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.839306386716968
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:JN9VWhX3WZNyb8E9VF6IYinAM+oCF5W0l7:7G8EpYinAMxCD7
                                                                                                  MD5:2EB6BD39EE0651784A411E0A644B8D5C
                                                                                                  SHA1:6CC149629D3BABA869C6BFC0E9FA9CEDFBD1F3B1
                                                                                                  SHA-256:7A577DAA81C99D256F557779C98F2695358C43ADA875DCA59E60366CCB1CE43A
                                                                                                  SHA-512:EBB6B5AFCD4AE1F1200343E953D9D84BAAB6958E270D7311B1ECBE5EF93166110A0A462396CCAC136AE8AE2CC73F996C3B851E4157ABE61EE18629B4BD910EE0
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............(... ...@....... ..............................I.....@.................................T(..O....@..0...............0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l...|...#~......<...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):331824
                                                                                                  Entropy (8bit):6.168915352000041
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:UBhhiUWKJzPZNRntAXIjxs2f5Jg53XWlvidurmdIq8KmefViYkJTVBXi3VaKtNTK:UDMUWITZznu85k8Wdn8KmCjIFi3Vve
                                                                                                  MD5:6819F098261F19410482FC67B4839519
                                                                                                  SHA1:06EFCEF815477EEA452BF5ACA9B233AA7AC3A0B1
                                                                                                  SHA-256:B8606AD9328AFD498DD32D996D86DCCD7869D570303ECA134979F9D86A65F361
                                                                                                  SHA-512:7E3623E49ECB5C39E5A8877391A78E9B1A273A1FC62E4AC71CE6E2003F460AB34A594B09034D9E737A963C2ECE023CB599EC4A38F7622C244488C28721483559
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@...... .....@.....................................O.......................0(... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............9..............H.............................................{....*..{....*V.(......}......}....*...0..A........u3.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q6....6...-.&.+...6...o.....%..{.......%q7....7...-.&.+...7...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u8.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):883760
                                                                                                  Entropy (8bit):6.071473112829393
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:21n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQH:21n1p9LdRN39aQZUqS
                                                                                                  MD5:7B529CCD5EE98E3569B5D26B9E8CAA0F
                                                                                                  SHA1:2285B8177814D6A2A3E17CE901E629F536D2A088
                                                                                                  SHA-256:BCEE13BE001D01FA6DB4BF7556ECB33DF4494ACDF9E2795ACFC16DB252DA5461
                                                                                                  SHA-512:59DD42D7ABB10A93BC02728B85FE443AD73FDF57A5E62D51C4C7AB022514D74B51694F83CFA8EF6191094514B9537F1B60DCE251C35216879917CF01A5396FA7
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ....................................`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):710192
                                                                                                  Entropy (8bit):5.9604634417081215
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:ABARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUn:ABA/ZTvQD0XY0AJBSjRlXP36RMGK
                                                                                                  MD5:7242ADA3B827C1E94E6D2C760DCE19D7
                                                                                                  SHA1:EDA8AD330719965A6DA5D485CDB6EFB14EE96503
                                                                                                  SHA-256:10A19B5C3D7B15BDFFC99B0743642CDE19ADFC9590CA7C2322147F44FFB7A7FB
                                                                                                  SHA-512:16ECBB3BA706853BA84B738FFCCB9C6EF50C38576CD8AFAAE9F8B6B746B9600D4EC37E1AF0999C5927BADD260704EAF4FC63DDF4C20EC6044CA1B9AFEDD676D6
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... .......(....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):285744
                                                                                                  Entropy (8bit):6.184807290251627
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:sZAWDkTmokB1QI3A5XeedC1OcQykFlE1WhOMiSdNrgClZ73HpsP+zb:sZU0BJwuOcrl1w7HX3HWO
                                                                                                  MD5:D0E617BD90C283D09E7E98B21489CDE0
                                                                                                  SHA1:A52B4574C0269613678F080FC71C9ECFEBA9AA1F
                                                                                                  SHA-256:6DC57489CF43418FE8B01B194F2665D70739EF56C7682EA446B699FC63DEA5B8
                                                                                                  SHA-512:6CBD55AC06B8B285237D84A72E7CDF6C48F1771C1FFF5C5D98A97C29084B909F97573EB3899243CDE104A5A0309BE1F592EC38120C7867B7F55A164BE8D2D977
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&............" ..0..*..........&H... ...`....... ....................................`..................................G..O....`..L............4..0(...........G..T............................................ ............... ..H............text...,(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H....... d..t....................F......................................^.{....,.(F...z..}.....*^.{....,.(F...z..}.....*"..(K...*"..(L...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25648
                                                                                                  Entropy (8bit):6.5615246242097
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:bAQk7qYbU6fXOpLk5LHAxOEaGUBD3Nyb8E9VF6IYinAM+oCGgQV86upC6:goLOg6BD7EpYinAMxCm8pR
                                                                                                  MD5:AF58F5E926396D0E2B3D79A222B03925
                                                                                                  SHA1:D057EE1FD67F9A1369DB932DF50D21AD88192821
                                                                                                  SHA-256:C07AB9144981AA62A95E75B6BB0837A4572079867E04A92790CB1E25E1D38B80
                                                                                                  SHA-512:AAC566EC589D125C076057C2F79CF562FB55295A4FD4789B9839C751F6A16F54D78D98D811FFDCD589CCC775CC92D097B8B295F3414F50158DB7A6637A96C3B8
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..........."...0..2...........Q... ...`....@.. ...............................1....`..................................Q..O....`...............<..0(...........P..8............................................ ............... ..H............text....1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B.................Q......H........*...&...........................................................0..:.......~....s....(.....(.~....r...p.o....r...p.o....(....o......*.............(......(....*.s.........*.0...........(.....(....o....r...p(....}......}.....s....}......{....s....}......{....s....}......{....s....}.....s....}.....(...+.~....%-.&~..........s....%............s....(.....{....s ...}......{....s!...}......{.....{....s....}....*.0...........(....,..(....*.{.... ....rU..pr...p.o"...u(.....(#.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2029
                                                                                                  Entropy (8bit):4.99666085039448
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:3Ar+z7h+1/gYo27RgdSagFsg+w3jdgDSg+CagFw:wr+v4cw9n
                                                                                                  MD5:A8C16947BDB4CB8CF1CF491FDC02B223
                                                                                                  SHA1:5CBEC67AF9B62D270764E5D6C0964881ABD6FCBE
                                                                                                  SHA-256:0F53AF9459BFA13AB9F911AE5FDBFDEEB0A5AE48B209E117321984E409413F06
                                                                                                  SHA-512:791153552D64F1315C42F794D7C3BD9AA90F8C62D547197EB555A9DF6E08EAB1FD93921FC1FAF5015291FDB4A4173137A93FA7964E8003EF70EAD11DE10C2DE4
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </depende

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):210992
                                                                                                  Entropy (8bit):5.348248764493682
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:/XLNkrE4AOS3ncIzkq2ijc3Y28MNwH5Z5D6k:fLNkrE4AOqcIzQijL/
                                                                                                  MD5:9CCD9FB2124027F5CC0056D81AB00ED0
                                                                                                  SHA1:F281EB0A03A64E44DB7BE9CF304BA9E35C297D9E
                                                                                                  SHA-256:50D5885A0FA757A7650F5EA9604701F16168F3F903FA4258C416B896068CD7CE
                                                                                                  SHA-512:53A85490F28DC5692B9EC382014DD57FDE57A46F7DB2D78EF587116BC7658E785B7FBBF14BD3DFBE7AC80FCBC54002B1B2DCA1F14BF17E720884F304543C9151
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0..............;... ...@....@.. .......................`......9L....`..................................;..O....@..@...............0(...@.......:..8............................................ ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......@......................@..B.................;......H.......H$...............................................................0..;.......~....s.....(.....(.~....r...p.o....r...p.o....(....o......*............(......(....*.s.........*.0..x........(......}.....(.....s....}.....s....}....(...+.~....%-.&~..........s....%............s....(.....{....s.......s....}....*.0..5.......(....--(....o......(.......(....+. ....( ....{....,.*....0..I.........i....*..{.......o!.....{.....o...+.. ..{....r!..p.o....(#...o.......*.*............'..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19427
                                                                                                  Entropy (8bit):4.994540973244801
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:hrg4wdkumUwfGReGWeGFuGgeKCUDuTeHOTu0U5e3eTOaUmS0SXStuKhubUfSJeZY:hrdOPUDCTHffIz
                                                                                                  MD5:04178686B6E5E58B69F7DFF5C6FD225F
                                                                                                  SHA1:20E38E9E8B6EB9F182729E51710979250910798F
                                                                                                  SHA-256:F260BB0DFFA0C3969D7DCBE480F4502DD8C1696FAA7B9019247EC91C6B9778FF
                                                                                                  SHA-512:18375EA01D4B3F2CFFE413472B7E736CCEF0024A403C920A17D4E0F1A69F06347B80358AFFF4314EC6A5B9A02E50E850F94585CBF379843C07FE15883FBB2D50
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Numerics.Vectors" publicKey

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):284208
                                                                                                  Entropy (8bit):6.117089192355007
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:mZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHr:0go0WPVTXgL
                                                                                                  MD5:01507D157C6F85EEFE5A02CFA04C71AC
                                                                                                  SHA1:E7FDFAA47375345A355BAF1D8243196E0E413C8B
                                                                                                  SHA-256:3A3BC2FCF4BCB7DB66845AD9CACA3F75734373E03679F6C9A5893AD6D8C9BDAF
                                                                                                  SHA-512:648B1432B22D16493193A1232B34084AE93EF18E00D6E9081383DB560555C689742EC7D946A19AFF0A43478FE8422995997C06A4B1F796555B069FA5F9300C0C
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ...............................@....`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.8082083149017505
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ljDNxWQFWHNyb8E9VF6IYinAM+oC5+wBEI:9DNVwEpYinAMxCl
                                                                                                  MD5:CCD36031B00D5200B07F9A1D9E4FB292
                                                                                                  SHA1:6D1FC82131FCC294983761DDDFFD95F756711403
                                                                                                  SHA-256:8BEC1A8B018DAC93D1495221A71DD6EF88DF4303D33B34118086AC668B87201E
                                                                                                  SHA-512:724D367F7DFAAD7648BFAAA804B245E8B228E6B835F1DD3F40A913B96AE5B52DB5FD65764E099CB33588F77F257AC5BC07DC5B2CD186DDC262F8A73131759186
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0.............f(... ...@....... ..............................._....@..................................(..O....@..................0(...`.......&............................................... ............... ..H............text...l.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................H(......H.......P ......................\&......................................BSJB............v4.0.30319......l...|...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.....K.N...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22064
                                                                                                  Entropy (8bit):6.672156046290606
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:jrMdp9yXOfPfAxR5zwWvYW8avNyb8E9VF6IYinAM+oCAgVuGp:jrMcXP6gEpYinAMxCFuGp
                                                                                                  MD5:447A02BF8CB2F5B74CD969D49368DFA1
                                                                                                  SHA1:7837448EF402B337F72D88753517D066C4775776
                                                                                                  SHA-256:F8514827ACF9E3E31F1591B5C9FEF70E1B84B6A13325B54E0CD6192A432EE136
                                                                                                  SHA-512:2754CAE9579539CD6BF4B41CF18916C557E3437BD9162ACCF406E64DD61ECBBB6C12067C54980A3F24C931EF12ABBFC12916999BF571CC900E560C6B6F39CCF4
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ....................................@..................................B..O....`..@...............0(...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.906708063624447
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:+m2igOWnW8rWVNyb8E9VF6IYinAM+oCPT89L0:Ot0EpYinAMxCw9I
                                                                                                  MD5:8D15F422CD36CCB1704BDA9AFACCC1BD
                                                                                                  SHA1:A010CE97600F161D08B657CFCC6B37AF27EF8C46
                                                                                                  SHA-256:8A46D05D26754E87235479CFE67E6FF6A081EE2A9360A5D5B35090C239A08807
                                                                                                  SHA-512:2AC14951C52FEF5FC054EE2EC1CA26004E9EA301699AA1B33B0B1044FCA89C025982C81B85ECCFFAC52FBEFF2CBEAD8A3BAD28F0D5318FB28CB9D0982A1A45E4
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ..............................`.....@.................................t)..O....@..D...............0(...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...D....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3................................................n.o.....o.....\...........8...3.8...P.8.....8.....8.....8.....8.....8.....1.....8.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.8984360991761084
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Nnapn1iwwPWcGWvTNyb8E9VF6IYinAM+oCagmKEFHN:0Du3PEpYinAMxC0jJN
                                                                                                  MD5:14ABCD3030A0F67F3FA7B9EB6E166662
                                                                                                  SHA1:37F5982EE6012B5163DFEC7AFEA62DB5C666E20A
                                                                                                  SHA-256:03D191772679BEA6056ED8A9C7BE7EDDE8AF33C29F9A8D03BC1C37241F8F4595
                                                                                                  SHA-512:E6612AEB5D962D22DDB5D05B36EBE174DF19D6253DFFD6384B070D3A311322278D44C0183F21FA0A1CA3F915E5EB9C0F2AF0C5C50903969B0B75433AF42B7254
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@.................................p)..O....@..@...............0(...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..t.......#Strings....<.......#US.@.......#GUID...P.......#Blob......................3................................................F.o.....o.....\...........,.....,...(.,.....,...f.,.....,.....,.....,.....%.....,.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.905150922557699
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:QHLaEav5aaUa6arWVLWwNyb8E9VF6IYinAM+oCg3r2:dPv5t/NOZEpYinAMxC8q
                                                                                                  MD5:884E63693AD540A386F2636ECD128D76
                                                                                                  SHA1:A47348563874E8EB75ECFC5B5714AE7456DBA375
                                                                                                  SHA-256:ADCB44EF78585B00305D2D723C08846348EF7A489A8253E643DDB0B6C0E0AD7D
                                                                                                  SHA-512:9ED61186EF3B425B57AE97718E79CA35355209C7663C0953C2C8D7FF621F998AAA6015CCDA4FEDEA723BBE43B8E5E97DE6119210EA478C5C5FC475BB5C3A2257
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ...............................`....@..................................)..O....@..P...............0(...`......P(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................`.....`...t.M.................................=.....V.................q.....Z...................G.....G.....G...).G...1.G...9.G...A.G...I.G...Q.G...Y.G...a.G...i.G...q.G.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.760657703388277
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:p6iIJq56dOuWSKeWRNyb8E9VF6IYinAM+oCHDRxQ2JFD:3iA1EpYinAMxC9mk
                                                                                                  MD5:5782A2F15E90B9BB65D5144F3EFCED5D
                                                                                                  SHA1:C395E336F2F3173D186405D94DEF958E57BD24B3
                                                                                                  SHA-256:E906F21CE2A0F67F538A3B0E24A06ADD5B62BF2FEE88051C61620DBD09B57187
                                                                                                  SHA-512:53CC8E5CA8E113F3D6C9B3BACE9C8DDFDA0D2C1705ACF4EEB7D02CF05C10DAD9495C27CB240FC803A932447E22E32D6C7CD102F2F230F64F1B445AE1AF852DF0
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............*... ...@....... ...............................n....@..................................*..O....@..................0(...`......L)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..|....................(......................................BSJB............v4.0.30319......l.......#~..|.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3................................................k.~.....~.....k...........*...0.*...M.*.....*.....*.....*.....*.....*.....#.....*.....x...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.811536083748834
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Fnzz+MpSaLWW0+W1Nyb8E9VF6IYinAM+oC1JaMjn:ZpuxEpYinAMxC7t
                                                                                                  MD5:0C81D0256EE127D45A0829E5E325F5F2
                                                                                                  SHA1:995FA37C7091F067F6CEC15A46BCB2E317DE4082
                                                                                                  SHA-256:ADC9788AF4BE7DE8D7C492D88230D471E430610E522B2BAFB7FF1D219B7A8FAC
                                                                                                  SHA-512:AC83D77B807AC4D3F9841418107BB8558B1011B0066607387A78C3AA3A3ADEC9BC77E91395CCB74D537E414685D6D8A2FF189E61465EA29A2FE2706012E66665
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............B*... ...@....... ...............................r....@..................................)..O....@..................0(...`.......(............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$*......H.......P ......................8(......................................BSJB............v4.0.30319......l.......#~..t...@...#Strings............#US.........#GUID....... ...#Blob......................3............................................................V...........j.................i...........8.................S.....<...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.8589137652058385
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:PGhr+YUfyHxsW/HWZNyb8E9VF6IYinAM+oCVUhv:ckmoEpYinAMxCc
                                                                                                  MD5:3DDE9C05C076FDF1429D9CD75173C6E2
                                                                                                  SHA1:578D028E3ED699A68111DEDFA37D095F2EC75A7B
                                                                                                  SHA-256:3139E4A728A1D2C82C476BBD54E3714F4FBC303FD3401D235B1338F13D1040CD
                                                                                                  SHA-512:5EC90F007C54633422852A0A7AE9BCEF8ECBDC70E63CF9751844E4BF287505DF4228FA20C709B5CF9785EB98951BA3EABD2E6ABF8090DDB4D34BA87C3D750B13
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............+... ...@....... ....................................@.................................<+..O....@..`...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................p+......H.......P ..4....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................................Y.]...{.]...6.J...}.....r........... .............................................................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16944
                                                                                                  Entropy (8bit):6.7876912072258415
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:XRE+ruiA5vzWeNWkNyb8E9VF6IYinAM+oC4XWKV:XS9bXEpYinAMxCYl
                                                                                                  MD5:FBE73E43216E07F425A24252C0C6F65C
                                                                                                  SHA1:0274AC0025B2B9BF44F5AFF28F674F2A3C77DDE4
                                                                                                  SHA-256:B89CA254B894484AFF1C72078D54EADB8FB4EA708D39483A25DCA94C162D3660
                                                                                                  SHA-512:5CD20028F6396785E4F0223BE92C059DE054D88252F4E8B9A578B935CB386B140199953A6ACC2BF8425B1C3B653A592AA80A5D7E148CCCAEC57FA6829457C8BE
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0............../... ...@....... ...............................\....@................................../..O....@..p...............0(...`......T................................................ ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................./......H.......P .......................-......................................BSJB............v4.0.30319......l.......#~......@...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3................................;.....Y.........8...........<...........P.......................X.....q.....g................."...................I.....I.....I...).I...1.I...9.I...A.I...I.I...Q.I...Y.I...a.I...i.I...q.I.......................#.....+.....3.....;.%...C.@...K.`...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.851358062531646
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:GT+6ywnVvW0LWoNyb8E9VF6IYinAM+oCcBV/:G99tEpYinAMxCi
                                                                                                  MD5:AA591EFB8BF0E36BF1E6E6704216BBB4
                                                                                                  SHA1:DE1461DC47C9B5BDEA46C29934D914F71C753C8D
                                                                                                  SHA-256:89081E8641B2EF9035E5ACACDD330082AA652B78819295B65B2710A4DF2D0A7E
                                                                                                  SHA-512:C04A7AC7F64CBC1D3EBB2CBA24E7D07E1714E41B6F27B86E86808E8BAC5EC57FAA8AD5229882106604245794DEB236B95A37343C840DB1A80A5AF896F3C4B89A
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................+....@..................................(..O....@..................0(...`......|'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...h...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....7.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.849139120493329
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:RRbzriaXT+WlEWENyb8E9VF6IYinAM+oCri+tBPWSe:r7icWEpYinAMxCu8pe
                                                                                                  MD5:D1310043B82B94AC1BC180B5BF617D76
                                                                                                  SHA1:A27CBA6E87B4DB7CCCAFF72A305C61943A6033B1
                                                                                                  SHA-256:CD652BADAC8C9CE2CE221BF466F4F9F843F2B125846CD5EF6929E1B77976A085
                                                                                                  SHA-512:61A34C547EEC04DBDD9B2226ADF40AA404086D2971EFE9A239EAB6CAEF7FCC2A1420AC9686C171D444818E7D5BEC2830093070E3EE77FA1781DACEFE36E2274A
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............6)... ...@....... ...............................\....@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ......................,'......................................BSJB............v4.0.30319......l.......#~..H...x...#Strings............#US.........#GUID...........#Blob......................3......................................................k.....?.....$.....S.................R...........!.....j...........<.....%...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):148528
                                                                                                  Entropy (8bit):5.418314255292507
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:IHOdYYWg+GImdMEGK61wb5nx03LBblQ6Ndk66byYSI4Zki+BReD4pK/uYxtl+97B:3dYO+3m9R6e1x03BZ6bDSzZ8B0uAP+9V
                                                                                                  MD5:8DBDE3A97C28D3344D4227AE15C708EE
                                                                                                  SHA1:6294D16DC998832F6FA5A1A1AA01B450CCB97826
                                                                                                  SHA-256:F3140CC951BF272C5E38D769A7D351EF986A1BF33EF43B6BA694CE4397BCECFE
                                                                                                  SHA-512:ECC338746D72C298A364F4480C2F40003010D72D668C29109CFA41C3F350E5DB4A6EF8A6514724006AF57F9C6E87ABE5B933B63985086F57B1CEB72C8E6B316E
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............,... ...@....... ....................................@..................................,..O....@..................0(...`.......+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........A...............?..h...t+......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r;..p.(....*2ro..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rK..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rM..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.812636234707437
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:qzNnzx7FWjYW5sHNyby2sE9jBF6IYiYF8pA5K+oCGUHF8oymiaZJx56co:4RtRWjYW2Nyb8E9VF6IYinAM+oCIAW
                                                                                                  MD5:16D2FD3D290EDA13521A860F295C9732
                                                                                                  SHA1:7F5EDA28E9D8057AD3683C3E9F96AD193314544D
                                                                                                  SHA-256:3A114F13C848ECA1AF9965CC8B93412AD84080C5C3E0217681C724F5F1EF080E
                                                                                                  SHA-512:CB9AF21F595B193D8F62003AE69C3E21227E8BE3B1ADB8C5C5DB9F390CA98CA1171CF23C3296C739B5C61CC98F2DF586A816281338C28CC72F5FA9571A5A3AC3
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ..............................9.....@.................................x*..O....@..@...............0(...`......@)............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................*......H.......P ..p....................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings....H.......#US.L.......#GUID...\.......#Blob......................3..................................................-.....-.........M...........[.................'.....@.................[.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.894254159830432
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:MFxrIFWnoW5HBNyby2sE9jBF6IYiYF8pA5K+oCGUHFK1+JmWKY+L:0eWnoWXNyb8E9VF6IYinAM+oCG1+MjV
                                                                                                  MD5:90B4E125C75BB201049286B5582EAA11
                                                                                                  SHA1:D8E91F8C9E637C1E3D7E339465E64AC3B9AFA212
                                                                                                  SHA-256:8ECE3185D90574516782D28998A856E32245745CD17C45169CE40184013F14E3
                                                                                                  SHA-512:24EFE1E0ECF759B7555D30514BB8623E9A3321BF2FAB229CF02CAB3C0017A795140EDF043754BC9E61D5E32D180C0E24C8DE5007F5E000B55C46E45001245955
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ............................../.....@.................................X)..O....@..$...............0(...`...... (............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................)......H.......P ..P....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings....,.......#US.0.......#GUID...@.......#Blob......................3......................................K.........]...........d.............o...".o...?.o.....o...}.o.....o.....o.....o.....h...-.o.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):52784
                                                                                                  Entropy (8bit):6.248230070449665
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:HC5mb2//6hDjsgXj55UJ6DwrKts7EK5m2yFVBg6WZZjbUpUhDIEpYinAMxC0a:HCYb2/CRv5M6jtUZjQUh17Hx7a
                                                                                                  MD5:CFEC3FAAB34990ACFC54C64C3B6808E7
                                                                                                  SHA1:C76ED41A92F77D9BE3AB1D0964008DDFA0108653
                                                                                                  SHA-256:9DE9A605D6A8C89CBE50D657E5B8F5A8988BA265473EE1660BD0B2551AF5AABE
                                                                                                  SHA-512:1525636EE2AEAA4F1D4BFBC5E10D70F833C15C692DB142A6FA0E78B8DB38BF81C0896ADBC8386472694BA76B1C6A2398694CC850E1246A1853C63573EC859080
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.................. ........... ..............................u.....@.................................h...O.......................0(..........0................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........I...l..............0.............................................{!...*:.(".....}!...*..0..#........u......,.(#....{!....{!...o$...*.*v ..yN )UU.Z(#....{!...o%...X*....0..M........r...p......%..{!....................-.q.............-.&.+.......o&....('...*..{(...*:.(".....}(...*.0..#........u......,.(#....{(....{(...o$...*.*v ..:. )UU.Z(#....{(...o%...X*....0..M........r-..p......%..{(....................-.q.............-.&.+.......o&....('...*..{)...*..{*...*V.("...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.855374776694347
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:O6oWJjWZNyb8E9VF6IYinAM+oCukx5v+6H:O6voEpYinAMxC5v+G
                                                                                                  MD5:6F9AC8B2DA7E25105F12AF1D94872131
                                                                                                  SHA1:26FB9F7C732B68A17E5A2129B8DD7A5CF9614C2C
                                                                                                  SHA-256:AF3526726E297BF978A24A6D5863B1326C8DFC96B4FA999334D0DBFA74646FEF
                                                                                                  SHA-512:EAC213A1D4DB6D759F46D71B1BA8B7C92FE018C9E6F13B6D29D874610CD067AAB75047B42859DD8FADFA0B01AF7B538632B74C28D3F0D914B688F1F4A667FC71
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................=....@.................................H(..O....@..p...............0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................|(......H.......P ..@....................&......................................BSJB............v4.0.30319......l...|...#~......(...#Strings............#US.........#GUID...$.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.$...C.?...K._...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.7752522324333615
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:oqk53/hW3fZ+zW3Nyb8E9VF6IYinAM+oCjwwO:oqk53MXEpYinAMxCFO
                                                                                                  MD5:158ED045138EEF3C7DDE9D6EF5B652C1
                                                                                                  SHA1:5622AAF5497F0D76683B040C64AD2314E17BB6BE
                                                                                                  SHA-256:7B2579B6B298E92556B48D669297E52790C153ED82712D1BC8ECEB596FE7E030
                                                                                                  SHA-512:1099BEE8D6CBF2A15078D0BB336D0F1DA9A00CEA294A7EB059AAE5304E67303AA89024BB75622729712D68A27D9729C124E36BE3203CE33107719CB84653B92D
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............**... ...@....... ....................................@..................................)..O....@..0...............0(...`.......(............................................... ............... ..H............text...0.... ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................*......H.......P ...................... (......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................j.q.........~.................}.....3.....L.................g.....P...................k.....k.....k...).k...1.k...9.k...A.k...I.k...Q.k...Y.k...a.k...i.k...q.k.......................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17968
                                                                                                  Entropy (8bit):6.660800364274412
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:EFCc4Y4OJWfOWqWWOWyNyb8E9VF6IYinAM+oCwOrX:QCcyCCEpYinAMxC3
                                                                                                  MD5:26A80145D8030211EE771840F8DD8A16
                                                                                                  SHA1:1CD26177951171212AA264C49ED54C4A180BBF34
                                                                                                  SHA-256:062DD43DA07B618A3757F26110DD637ECF88939412722740A11E059DC613D154
                                                                                                  SHA-512:4C7254ED979CE6FE0D9686E6C8E8AA64534C5592933203879220FC5CA74941283A251018C65D6E09219DD3ABDB49CA55A5E319B1D3E9A6EA93264B21A96686D0
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............N.... ...@....... ..............................l.....@..................................-..O....@..................0(...`......L-............................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0.......H........ ..4....................,......................................F.(....~....(....*6.o.....(....*6.o..........**.o.......*.~....*.~....*.BSJB............v4.0.30319......l.......#~..<.......#Strings.... .......#US.(.......#GUID...8.......#Blob...........GU.........3..................................................8.........*.h...m.h.....Z.....$...........Z...+.|.....Z...1.Z.....$.....$.......3.D.......|...F.|...c.|.....|.....|.....|.....|.....|.....Z...I.|...}.Z.....Z.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.8745478333746295
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:jlTx93aWxMW5VwNyby2sE9jBF6IYiYF8pA5K+oCGUHFwPtrnGL:HAWxMWANyb8E9VF6IYinAM+oCMPtrGL
                                                                                                  MD5:2B57E23D0F48CE1EF0569063B5F1C9EB
                                                                                                  SHA1:8A875754C087A9E914B75381B98E09895E22CD45
                                                                                                  SHA-256:0153C25DDA929F74A08D404DB3135A200FEB9E78D1AF4097437B39A1B7AC772D
                                                                                                  SHA-512:C8253989642A05B27FEEF4A7AF6BDF614E3CD362F4A21E31455BD58858AD30849E35F04F5F07BE169A28B7D87BC11E1391B190E40B98A7D271A48CF0FF68158D
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................: ....@..................................(..O....@..................0(...`......L'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..|....................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....D.......#US.H.......#GUID...X...$...#Blob......................3......................................z...........!...\.!...0.....A.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.,...C.G...K.g...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.857361004400195
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:vYqArxbYWHaW5uiNyby2sE9jBF6IYiYF8pA5K+oCGUHF2zfxGLuDP4A13:3AlcWHaWBNyb8E9VF6IYinAM+oCyo8D9
                                                                                                  MD5:343FB82DF6CFC390EE8375B8202D6178
                                                                                                  SHA1:3E46C69112CDC189AF64A8E19C9D0396521C94D9
                                                                                                  SHA-256:0BA15E45585ED38FE6BFA49FC9393FD8DBE249C7A3745D9419CCCB3CAF785E6C
                                                                                                  SHA-512:B8E95D9416BA51B21067B8069126922DF2E1BADADE629380A79D73113E180149187EB5307559553FF6236432A4705C32EC8374AF54B17639B11BC2B56100EDE5
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@.. ...............0(...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......|...#Strings....p.......#US.t.......#GUID...........#Blob......................3............................................................`.....1.....t.................s.....).....B.................].........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.778572218931067
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:GGIZnWlNWmNyb8E9VF6IYinAM+oCpcsttGp:TUyxEpYinAMxCPUp
                                                                                                  MD5:8BE0161D2171A05F186C14746B17BEDB
                                                                                                  SHA1:00697942D486087143ECF3FF76DF82C0032BE484
                                                                                                  SHA-256:31624B29570C67C2B07DBC427543B161FA14357B5CEF563289AAFDD940AEFB01
                                                                                                  SHA-512:D257CADD5B2BEDA1EDE29DF27319F5AB981D5701879D53454C6D5F95068DF47CDDD562F5A39E4F96AB8B4DCF5E3F468C1FBF99B3B5CCD7270A2A0D93DE4A90F1
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............2*... ...@....... ...................................@..................................)..O....@..P...............0(...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...\...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................t...................................=.....V.................q.....Z...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25648
                                                                                                  Entropy (8bit):6.497756720695681
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:vlQnCMi33333333kj8xe+5PTYM3zUy+CezHjzgKj0uRWOdWmWJdW8Nyb8E9VF6I8:9Qq33333333kX+TBi8rEpYinAMxC/x
                                                                                                  MD5:DE5C0ED2F925B497B7B7757ED8F91409
                                                                                                  SHA1:CA37D6E91C6453FC7829E539D61F06F5B00B6240
                                                                                                  SHA-256:3B9AA9BA30DB7890238C498AB453A84E12AFB6CD06E73B8B08A8C350FC36668E
                                                                                                  SHA-512:6D7478CC97704587755CC267FC5101B8E2CFF9DD2F5DF1EE452A967C1A57B1542F97878F4376E750C5D05631246B1C723D410E2EDBF5D7F1FE3C5688214F831E
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............RM... ...`....... ..............................?3....@..................................L..O....`..x............<..0(..........PL............................................... ............... ..H............text...X-... ...................... ..`.rsrc...x....`.......0..............@..@.reloc...............:..............@..B................3M......H.......8*...!...................K.......................................0..H........(.....-.r...ps....z.-.r...ps....z.(......}......(#...}.....{.....o....*"..(....*....0..Z.............%.r#..p.%..{.....%.rA..p.%..{..........%.rS..p.%..{....l.{....l[...ra..p(.....(....*&...{....*.0..4.................}......+....{.....".......X.....{.....i2.*.0..k..........{........{..........."....(.......X....{.....i.0%.(..........(.....(.......,..(........"....3.....}....*.......=..M......

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.852137502873179
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:M28YFlXulWY/WnNyb8E9VF6IYinAM+oCKD95M:M0q6EpYinAMxCr
                                                                                                  MD5:74CCEFACED2DFCB8EAF7ED590225C293
                                                                                                  SHA1:DB828B60B5AA764DA4DE0B2AA17A2E7256879399
                                                                                                  SHA-256:D5BFFC15212B4FB4389CC4C95D951312CD776A16F7EEC1201BE97A236D53C749
                                                                                                  SHA-512:93CF84C3D13640876B8707F04BA27C3CEDB04078EE8A3CD89442ACD9D47C2FB836EB16E4CB4AA46EC0C1CECA282F992156B76B41F4311DE7DE8DE60368CFBF6E
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@.. ...............0(...`......t'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~..,...P...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................~.....R..... .....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16432
                                                                                                  Entropy (8bit):6.729399300179517
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ruMLcdQ5MW9MWBNyb8E9VF6IYinAM+oC3SX3q:6OcSpLEpYinAMxCJ
                                                                                                  MD5:22109D5725BF49BE5ADAC18EF3A50A6D
                                                                                                  SHA1:92A3C52DB9A025ECA3ED3A5CAFFFFF601A9064E9
                                                                                                  SHA-256:AEA1F02B322A547346C9763FBDB791D04A7B431E73AADB5FB3284C49B894417B
                                                                                                  SHA-512:0A0282006D0ADBE4B53ADBC8840E0C72E087B991691C702AAD17409139E9DF265D1EB2684A83E89ECB8B624713662C3C1289A615675CAD9DBF1E55FDD3AC1844
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............,... ...@....... ..............................4N....@..................................+..O....@..................0(...`.......*............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l.......#~..p...0...#Strings............#US.........#GUID...........#Blob......................3................................................;.........................$.....$.....$.....$...[.$...t.$.....$.....$.........g.$.....#...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.817774131536846
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:DZ7RqXWDRqlRqj0RqFWVNyb8E9VF6IYinAM+oCVauO:F9qKqjqjuqOEpYinAMxCe
                                                                                                  MD5:D6EEAF33753199829D5B52F3883200E4
                                                                                                  SHA1:1C26480373B43132E4E048C53E4B92B1658DA3B2
                                                                                                  SHA-256:E011C1A5F690BA6FB9817ED9E082853264EF95FC172E2E392D8253C72C76528C
                                                                                                  SHA-512:3338703701A77500C3B4BDAD3E409CD6F9C59AEDF3424602A8644CC55903A16EEA993C7F83B45600857C0760C40BA3AA1AABC32A58D8DA21A7BE417C92CCE610
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ...............................V....@.................................X*..O....@..P...............0(...`...... )............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ..P....................(......................................BSJB............v4.0.30319......l...L...#~......l...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0.....%.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20016
                                                                                                  Entropy (8bit):6.629984909380605
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:SNBMbljRC+lgfS1RPWYR1Rw0R9WYRPWYRDRj0R9WSNyb8E9VF6IYinAM+oC3r3Mf:SvMhF2SzNzwu/NljuREpYinAMxCm7
                                                                                                  MD5:F1E0C61D29D9AD41465EE509300A3CF6
                                                                                                  SHA1:4BD633384150D5C762419185DF0C7B546B2530A9
                                                                                                  SHA-256:6D063F8112D7C3D72AB7554FA5284CCEB8548446B84B644DD2B43FAE088468D2
                                                                                                  SHA-512:71F39E6B7318F80CB9B04CCB5EA3A5F0D7ACC9A0DF7F515F7F812AE8E5DF9FEFB8FFA8E4BA489665845ED60B4D360C29A7D7E42976266FE88641EE5023BE2423
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............6... ...@....... ..............................M.....@.................................a6..O....@...............&..0(...`.......5............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................6......H........"..H............4......(5........................................o....*"..o....*..o....*"..o....*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*...0..K........-.r1..ps....z. ...@3.(....*. ....3.(....*. ...._,.(....rI..ps..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.902202422569465
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:gZ4RLWdRfRJ0RZWuNyb8E9VF6IYinAM+oCly3R:gZK0pJu5EpYinAMxCoh
                                                                                                  MD5:AF0541474D5101B83A9F9BCA4CCAE18D
                                                                                                  SHA1:C4531C3A35C23BD0A8DB7C478E449F1096EEFBD0
                                                                                                  SHA-256:BF0E37B6DFC48AEB4584D8CFC11E4220DD2461B4B0958E7ADBDEB4F885F69E01
                                                                                                  SHA-512:30CAE5D0A7E67533F25ED2A416B9C028F636FF7252B4F36B67A3E8BA3B867B1F54EADF4D5B8845A090D170CE717315B9CC48B478F0439D17B8F6DEDF1FDB7897
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...................................@..................................)..O....@..................0(...`......h(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3......................................................m.....A.{.........U.................T...........#.....l...........>.....'...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.79684773831365
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:6YWsmW5Nyb8E9VF6IYinAM+oC39mzk3UDguY1:62VEpYinAMxCQ43Igj1
                                                                                                  MD5:0285B025E379D72CEC77E76E6C3C9199
                                                                                                  SHA1:D917A4FB16C519390EA44D85212336961135323D
                                                                                                  SHA-256:1AB9B6D48D9439DFA26567E091790BB6C4B72B683666362ED2BF82953D610F63
                                                                                                  SHA-512:8A4C66125E46F6A0267957F7831744904CCE776ED626C94B782DE4739158C4F07F6FC96EC248A79A8DFDF2899FB13A6EF1650C7B5C710224F509A25A4A1395B9
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............*(... ...@....... ...............................~....@..................................'..O....@..@...............0(...`.......&............................................... ............... ..H............text...0.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ...................... &......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................z.....N.....".....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........:.....C.....b...#.k...+.k...3.k...;.....C.....K.....S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):105008
                                                                                                  Entropy (8bit):6.382793274888649
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:Gvc/U5yNq2oS4Zd0LE3YigSFvhoZO2K3aAYH2TfXmNoJXW7HxSs:6gk1tiLMYiDFvxqrWDWNoJXWr
                                                                                                  MD5:5BEF80B4461EA7FC40F7AEB314517182
                                                                                                  SHA1:2368C820139FF5F59819CF4332BE2F5C36074B98
                                                                                                  SHA-256:BD5AB932E8DFAE0F86CC92AEEE2EA42FDCEB1BE46E040FD691117B2455809DC0
                                                                                                  SHA-512:8479ECE93EDBEEB7AE11C7151A65AFBE26B989C644F5D388981F96652E773BB606F8B7FCD318E1880CF53EE1CFE26AEFD416EED6C22282C8CB6874CF56A400E3
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..d...........W... ........... ..............................a.....@.................................5W..O....................r..0(...........V............................................... ............... ..H............text....b... ...d.................. ..`.rsrc................f..............@..@.reloc...............p..............@..B................iW......H........................9.......V......................................j~....%-.&(I...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r7..p.(....*2rs..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r=..p.(....*2r_..p.(....*2r...p.(....*2r...p.(....*2r...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.85654417947107
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:gKcuz1W1cWMNyb8E9VF6IYinAM+oCLnEi2:wu86EpYinAMxCbt2
                                                                                                  MD5:46F337980AD8DF3B32AB242BF1B9A464
                                                                                                  SHA1:4B385DA3DABA54274FC4B677FBA52F07947C6D08
                                                                                                  SHA-256:18D88E8C000BBF063C19B6465FE39C133062D5404B30231A9B1BD61990D3D4F4
                                                                                                  SHA-512:90E102A13D56C96DEECF4FD08486100E61E410FACA1E83EFF2B1C9AFBA9F1149A9D002551F980E8214C77B89D749164ED935B541CFA20102F5952DA2A02B243A
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................,....@..................................(..O....@..P...............0(...`......H'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..x....................&......................................BSJB............v4.0.30319......l.......#~......H...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................................p.....D.....9.....X.................W...........&.....o...........A.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.8625580935847115
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:XpXYpxjSSWikW5I0Nyby2sE9jBF6IYiYF8pA5K+oCGUHFUd79eOJZY:8+SWikWBNyb8E9VF6IYinAM+oCAd5DY
                                                                                                  MD5:AAD632FB4B9825F4CFD41EF51D22B0C5
                                                                                                  SHA1:FF28D7F1D15C144D82B3FDA1FD0F3DA64DC1A14A
                                                                                                  SHA-256:73D2A7858834E875F1802312D04FDA41B757FD38092639CE8F7423F7F69DE918
                                                                                                  SHA-512:70476DB9ECF8E2A421EFA525FF91185C861670AF6CC2B2121DBBF145E4071940E85D41F398DD9EC1F57D457538189AAF8071A92B1012802E376F37FA74FC6AA7
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...................................@..................................(..O....@..P...............0(...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....h.......#US.l.......#GUID...|.......#Blob......................3......................................................y.....M...........a.................`.........../.....x...........J.....3...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.9090505900126455
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:8DxxhREWzgW5mGNyby2sE9jBF6IYiYF8pA5K+oCGUHF76amaGRcSg:gAWzgWlNyb8E9VF6IYinAM+oCXAS1
                                                                                                  MD5:C3A28534C6151BBB807A8CB4DF0C56FD
                                                                                                  SHA1:C51FCD2C452ABF79D2ECCC9E571B9AABD296E745
                                                                                                  SHA-256:8B9C14A2ABB45BBB1D94D8931129F657BEFE3CC87139B3CE9CD68EC4ECCAF617
                                                                                                  SHA-512:EED8722C22EFD790A40595772C762303C61D9F89BDB37045DA63395A6024FB99751C86CF249426F5DB9EFEE8A64F0FC5845BC815401F42B425E508F0DEC0A542
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@.................................p)..O....@..@...............0(...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................C...f.C...:.0...c.....N.................M.................e...........7..... ...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.86573166821119
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:eJWx7VLRWbYW5PqjNyby2sE9jBF6IYiYF8pA5K+oCGUHFncaEL7:bBLRWbYWAjNyb8E9VF6IYinAM+oC7cB7
                                                                                                  MD5:5D12D2003B9C1715907B57E2E2336E75
                                                                                                  SHA1:FD02CDE45718FDC5394482978DD2F261D8D83688
                                                                                                  SHA-256:08890E81C4676A30DAF7DB69980A595C4BBED23BADB0C6FFA49E27F92B495DC3
                                                                                                  SHA-512:4F2FA8128AB45A8FF922C19B52FB4D6CBFBE1C35302A0E23FFAC1C90642530B161FF4EA85E4FEE6B7A4847415D01D0F7C7A1BC9F4FBF5D90710E143B1D8FC10F
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............b)... ...@....... ...............................)....@..................................)..O....@..................0(...`.......'............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................D)......H.......P ......................X'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US.........#GUID...........#Blob......................3................................................../...z./...N.....O.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.853003578203525
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:fZxcMRW4/W5x9Nyby2sE9jBF6IYiYF8pA5K+oCGUHFyF5Fzd:LHW4/WRNyb8E9VF6IYinAM+oC+dd
                                                                                                  MD5:25964F198C9E4088D7FC2BC96350D82C
                                                                                                  SHA1:57C08B7BD2653A75971F8B09BC2D5DE035433DCA
                                                                                                  SHA-256:12C7CF810B0E5962BF5289224973D84A9559F16BB35F48FD84156586E4417C0E
                                                                                                  SHA-512:2855FE5B02B5458367B81E2AFB81E1F2C2310E8A3C1CDB4603FE8DDB451A8CB52A55034FA9CA8764447A96F2ED4D0F64BF80504DB20D5418481D4A965FDC33E1
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................3.....@..................................(..O....@.. ...............0(...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......\...#Strings....`.......#US.d.......#GUID...t.......#Blob......................3..................................................+.....+...^.....K.....r.................q.....'.....@.................[.....D...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.91349914772287
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:1YvkRxpHWmCW5O7Nyby2sE9jBF6IYiYF8pA5K+oCGUHF69d1:yvk7hWmCW0Nyb8E9VF6IYinAM+oCuT1
                                                                                                  MD5:5EBF26CC80D7D2367B2ED14DBD480DE9
                                                                                                  SHA1:44E840B549ABA4201350C169508042C5E8C64D81
                                                                                                  SHA-256:83D1043095E5D0AC4B89E11D27E6BCAB0B8AB3C9A76033B12C389C7F9E7EB6F4
                                                                                                  SHA-512:9DBD3438D67D68ACB9502F07F8F12563EC132DCB91781BABCA8AC2A183F3FB23C68B6459024061E9C91D5B507C61EA9FF0579CADCD8FE68CB7681F5C770FB286
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@.................................h)..O....@..0...............0(...`......0(............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................)......H.......P ..`....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....8.......#US.<.......#GUID...L.......#Blob......................3................................................ .C.....C...w.0...c.............................@.....Y.................t.....]...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.875910359378026
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:MUiW2xf+C/WCUW52DNyby2sE9jBF6IYiYF8pA5K+oCGUHFLZiopWWHq:aGMWCUW4Nyb8E9VF6IYinAM+oCRlO
                                                                                                  MD5:1995E29BAADA29FB8819820770F26C62
                                                                                                  SHA1:4B34D3A8718AFB2D17D0CA4F4431A781C65FAE11
                                                                                                  SHA-256:69851804FFD0DCB7DF37C3D6F1F06D0A1A441E9AE5951F34ABC36F1A2CFCA4BA
                                                                                                  SHA-512:BC80F721D85909AA431788033952522774A33F72E8F9BED6B149DB6C01D22F5DADBB9F35181BE6C1FB5E3A29915CDE693ADA989C77C274FE97ED7A81DB9FE69E
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................U.....@.................................@)..O....@..................0(...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................t)......H.......P ..8....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US. .......#GUID...0.......#Blob......................3..................................................].....]...T.J...}.....h.$.....$.....$...g.$.....$...6.$.....$.....$...Q.....:.$.................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.853688680069455
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:SBhwI7WSQWLNyb8E9VF6IYinAM+oCCtg1u:SDwIBlEpYinAMxCG
                                                                                                  MD5:862ACBAA8DE2117C4DE7476774D516F2
                                                                                                  SHA1:BADDFC33B47A09EBEC90C0B05A56482F89D89C8D
                                                                                                  SHA-256:649ECB9376DF48E12DED6D6A95ADBEEA6A36EBB8C011C9802FF8119AB40B436E
                                                                                                  SHA-512:0FE11B0424EA4816B2EA0A162F588EAD2B3EAD5EAE2973323CE1386F4CC753B0793BCBEE038656542647DBC445C831936B6D7594049FB3B20DEE63EBF28AEF8A
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................b....@.................................l(..O....@..P...............0(...`......4'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..d....................&......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................f.....:.....2.....N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.8712991278808655
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:hyvPRW4lWaNyb8E9VF6IYinAM+oCnK5GIM:o39ZEpYinAMxCXIM
                                                                                                  MD5:CD6F5C599E5DF13BF3E67D105BBD6E4E
                                                                                                  SHA1:4441108F1108D9A3A04F5F2B205FA520B8B7E61C
                                                                                                  SHA-256:5724B02518B16C2C501EE080B2990DDCDE55AD0C91AA0699E69B3F4A405E7615
                                                                                                  SHA-512:492A3226F3DC51F27091414F5FD59F2415A9ADEBC4995EEBDC9C52B5089CC818C73535AE3278C8ACC7666B9DB192ADC8801B9763D15CDA4EA3CA62D064847BFB
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................^m....@..................................)..O....@..................0(...`......l(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................f.....:...........N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.&...K.F...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16432
                                                                                                  Entropy (8bit):6.822162805236912
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:unhp+J2sx/5W6eW5L2Nyby2sE9jBF6IYiYF8pA5K+oCGUHF9IAvOn8Q:I6RW6eWoNyb8E9VF6IYinAM+oCiAGnD
                                                                                                  MD5:3437F5869D0C914914F2370397AFB8BD
                                                                                                  SHA1:9CBBBFDD16C567760965A264644131C7270AFE01
                                                                                                  SHA-256:7610364F5FAB3269A4AE5D4AFC6D4939B3625B44C5128A7982FBF96665FD38BA
                                                                                                  SHA-512:55BA204BF4C2C04A48C2A61400A1A6F8EB52AB56EF2C0E6962861FB8D781DCBBEC9A4BBF7F3E1F949E882E47E1E02B378189B5BB4CC0098633F51A931EE42591
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............-... ...@....... ....................................@..................................-..O....@..................0(...`......P,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................+......................................BSJB............v4.0.30319......l.......#~..\.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3......................................5.........c.............z...............(.....E.....................................Q.........../...........b.....b.....b...).b...1.b...9.b...A.b...I.b...Q.b...Y.b...a.b...i.b...q.b.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.856876886578975
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:USUP9W70WTNyb8E9VF6IYinAM+oCu1J518Q:xUe5EpYinAMxC0p8Q
                                                                                                  MD5:FAB955A3E4EEEE01097ABB43A3607C86
                                                                                                  SHA1:8766ABB10D70E64F2DBC7B6CDBECCEE31182665A
                                                                                                  SHA-256:18BC3E5B242C7481112A78BECAB84A62F99A1496E3A08F8B5AAB0A73CE6FD51F
                                                                                                  SHA-512:E27CF08356365768C3C9D73FC3FF6EF71FBDDB2EC4890932F68A2CFCAEFA6BB75DC40C7C2C8B7F02C72A912F8FCD18BCA1F6186AA1DAF62D842D9F77788F17B0
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................f.....@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...x...#Strings............#US.........#GUID...........#Blob......................3..................................................&.....&...p.....F.............................9.....R.................m.....V...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.8529608893292115
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:08yg07W0/WFNyb8E9VF6IYinAM+oC/ojZ:0BH0EpYinAMxCAF
                                                                                                  MD5:C9638F49F3429205B5288AFC2894F505
                                                                                                  SHA1:29356F053603A24AE8EDDDF6A0E6F99DB739A3F8
                                                                                                  SHA-256:0CEED106BEB406C2051AD24CF4C3B01C872EFC44418F6407860453826AAAABB3
                                                                                                  SHA-512:78E1996CB1315775F84756179A8123BFA8DF4F5E5669FE247BEB529B87F6EB6DBEC58D312843BEBEE163F79987156ECD9530F648E106484861D4F95EC7036A2F
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...............................(....@..................................(..O....@..................0(...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...d...#Strings............#US.........#GUID...........#Blob......................3.................................................."....."...m.....B.............................6.....O.................j.....S.......(...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.815737222976089
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:8ueAxQJ4WmRW58/Nyby2sE9jBF6IYiYF8pA5K+oCGUHFOq/gkY:ye1WmRWaNyb8E9VF6IYinAM+oCasgkY
                                                                                                  MD5:0EBF8BA019503FFF6CE8C96B8451916A
                                                                                                  SHA1:4057552663294F1652E7BD277FAAB97F3FC99E44
                                                                                                  SHA-256:3D1D440E865A8FB047483F7211E6DECBB3AEF9B1062D3D30164EC447BE95CD26
                                                                                                  SHA-512:F7F9E374CA3BF171B98D63E2D93E61748E465ABEB9183281A6AB10FB5AA0DE25E5EB5C12BEA2461A2982449F459CECFDC8DF44754FBC28C0552FF559695C416E
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................l....@.................................p(..O....@..................0(...`......8'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..h....................&......................................BSJB............v4.0.30319......l.......#~.. ...0...#Strings....P.......#US.T.......#GUID...d.......#Blob......................3............................................................f...........z.................y...../.....H.................c.....L.......,...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.(...K.H...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):142384
                                                                                                  Entropy (8bit):6.161184989113367
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:mUGrszKKLBFa9DvrJGeesIf3afNs2AldfIQ6D:RBFd3/aFs21
                                                                                                  MD5:54D029A43A6C0F42ED4A23FDFA2D5C73
                                                                                                  SHA1:C4FF7EAE7E07A523E9307EF2C2D56480BE2B79FA
                                                                                                  SHA-256:DDFDA1DB70F43D20679590F1075F7DCD8604A67AF927CFBBA607B497C3A1DC37
                                                                                                  SHA-512:A36DBFDBF74D949EB0BDBC1EA36C7CD0200CE6A74507A538D1BFDDCD8EBCE59D635B761E9727F336FAFA2508B6A086BC9FF984EF3A50573C017B259077AE39D6
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`.......w....@.................................X...O.... ..0...............0(...@...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):192560
                                                                                                  Entropy (8bit):6.115283764355454
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:ceruQlNGOhYq0AQcTvankc+8lbKta4FUPAT8xpRI454I/Kv6RpZ8dwPSgUX4:VW60VcTvakcXcApOD4
                                                                                                  MD5:2DE6CACC7CAAE8EC32A4ACCA2372217B
                                                                                                  SHA1:AEC33C954F09DE00D3DD0106CA18CC34D3D269E5
                                                                                                  SHA-256:32AD73E09CF913CDD10B802FDE60CAA3009C642672C811AC293BBF96BC9C8C78
                                                                                                  SHA-512:444FAA8453BCB54ECBE8256F60435E4EF1831EAAEB663B8AB2B56A14683FFE8B6607D119AB4A8D0F4E55947D03AA8F16839DF5A1BBD3E4B7A29CF475B3FD196F
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.................. ........... ....................... .......,....@.....................................O.......h...............0(........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B........................H........$..H...........$....,...........................................0..,........ ....1.r...ps0...z.............(.....s1...*.0..l........J.2..J.o2...2.r...ps0...z..Jo3....%36.o2....JY.2*..J.Xo3.....J.Xo3...(...... ........J.XT.*...J...XT.o3...*..o2....Y./..*..o3....%3 ...Xo3......Xo3...(.... .......*.*..0..=..........J...XT..%....J...XT.~..... ...._.c.....J...XT.~......._..*....0............02...91...A2...F1...a2...f1. ....*..91...F1...aY+...AY..X+...0Y...02...91...A2...F

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.838008946902689
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:cZsxgyrWYLW5lSNyby2sE9jBF6IYiYF8pA5K+oCGUHF5LxLCMIuPkr8:y6ZWYLWyNyb8E9VF6IYinAM+oCNNLpF
                                                                                                  MD5:90409A11B947C7B7851C1C3F3BA682BF
                                                                                                  SHA1:D0F4051772DAC6D8BEE286E3D2F3EEB66B93C76F
                                                                                                  SHA-256:A36DC3D7D40EA97A84093EF4B46CCD55B6B7B306305DCF1A66F58AD77BF703DD
                                                                                                  SHA-512:972E0F5B4C25BA1AF38420D5D2FCF93B3B5BE4AC3A95ADE19CB7DE567F2472B0074825CE1253E918D1DED321355A42D572659652B33AA34339AD20792DAC2A55
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................T(..O....@.. ...............0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......0...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16432
                                                                                                  Entropy (8bit):6.790255214658902
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:A1W1WMQWrNyb8E9VF6IYinAM+oCuH2kRwO:b15EpYinAMxCunwO
                                                                                                  MD5:3F00A1C64D87CBFE42BDA418FEA21722
                                                                                                  SHA1:BE09231122402528197546510483B2991994DCFC
                                                                                                  SHA-256:521A6998CD06C2779435F481BD55A05ED2F1A56879C2D45F641446C31AF3657A
                                                                                                  SHA-512:E8F3C9170766999A856D263801F5A3AAD2C86EC2927777D2F907AEAE6644D8638339EA603308A9F9928144F12663A8878F7552AB7EE242145388EBBDE371926C
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............,... ...@....... ..............................X.....@..................................,..O....@..@...............0(...`......p+............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....t.......#US.x.......#GUID...........#Blob......................3................................!...............E.................%.................'...........e.....~...........................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.831937561896812
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:PdSWSKWvNyb8E9VF6IYinAM+oCsVaSL3l:VOHEpYinAMxC03l
                                                                                                  MD5:998563BC54AD72451D67ABB161021DD1
                                                                                                  SHA1:28157C4B0416DA275B402DE200C9ADE54AB661F7
                                                                                                  SHA-256:45E5B90735B46F184AF6C8ED8B7A7E6E421B0693769B0246200B3275CAFA3CFE
                                                                                                  SHA-512:198A1A66549BE21BD72E664D8D7420D316A9CDF223A40F31CAF082807987AA2BE7501FD0AE527117B4BC7B7120F621E02CB2B146894AA9B91467C99D21E5E572
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................~>....@..................................(..O....@..................0(...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...L...#Strings....l.......#US.p.......#GUID...........#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16432
                                                                                                  Entropy (8bit):6.751094184544074
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:vJEYA2WkIWhNyb8E9VF6IYinAM+oC1IZM2RO:vyYA8vEpYinAMxC+ZS
                                                                                                  MD5:B90388FE21BCE3614272D5D811CFA0F4
                                                                                                  SHA1:2A6CD094FD5F379010886274EBDAA726E215109A
                                                                                                  SHA-256:184B301478FCA800DD5ACAB7E9C93C577917AAD9410B7B0AFF59A8584C86C38A
                                                                                                  SHA-512:27F8FCF3021CB76BBBA526E793CE5BBA473B65B949A21273C9EB6EE30E9ECB4EBE41B64265F106948111C5BF82E6F89E33C90B71674BE5163D9B71BBE66E20D7
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ...............................d....@................................. ,..O....@..................0(...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l.......#~..|...x...#Strings............#US.........#GUID...........#Blob......................3......................................$.........N.U.....U.....-...u.................0...........n.........................>.......................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.873207581433883
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:jl0qgopJ5xBcWe4W5PqNyby2sE9jBF6IYiYF8pA5K+oCGUHFVO3BuOu:BJGWe4WENyb8E9VF6IYinAM+oC5Oxs
                                                                                                  MD5:B054E10ADC5FA8E493876287A6458E5B
                                                                                                  SHA1:570E449F809521B0B7EB13C50C85411233210932
                                                                                                  SHA-256:4E2FFE1EA36813D662BEDC8C0F10F0B8117DDCD7B2D05C12DC821FF0CD35C14F
                                                                                                  SHA-512:97761E42CE08B770FE02AD22C237E5384820F516A5D8E2EE2AAAF7109C3A3347D98855FD33C537E03FDA8952186529D979CC8D70D21177C315B0A0ACB0D9DB9A
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@.................................0)..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d)......H.......P ..(...................x'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings............#US.........#GUID...........#Blob......................3..................................................4...~.4...R.!...T.....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.7845057032264044
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:4dW1w3WesWvNyb8E9VF6IYinAM+oCV47eL:h1wx1EpYinAMxC+g
                                                                                                  MD5:B2C53320FDF5CA8A04DB60B170BF7141
                                                                                                  SHA1:F6B6E809514EFB12460A23C04CBBDEA9BA48F464
                                                                                                  SHA-256:3A21E7A51031A173F7A4B3A749DA253D741E6FDA19515C5E00CBE0FA99F5571F
                                                                                                  SHA-512:D87E00F90633A3FBB61D4BB347511593B33B6AC17FEF57E8785087BC6F57069B01DFC481BF4834DC9EFBB19323CE88D4E0E2653BEB32F0A788106D466EEF3834
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............~*... ...@....... ....................................@.................................,*..O....@..................0(...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`*......H.......P ..$...................t(......................................BSJB............v4.0.30319......l...$...#~......t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.<.....<.....<...C.<.....<.....<...[.<...x.<...-.......<.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24624
                                                                                                  Entropy (8bit):6.5950895512475265
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:6ylNGlfdqj5531HJTABhf8g2MkO1ICMbmiT2Y4Y3ocWS9sWvW8YsWmNyb8E9VF6R:6yp12Bhkg3qnV/sEEpYinAMxCRN
                                                                                                  MD5:C3389FF2057FE22EB3F83AA8AD988B61
                                                                                                  SHA1:937E0F25E0C6E5870F73724F2276530DF2DA3357
                                                                                                  SHA-256:A2BDF759ED39D7189DAEAAAC69B8C0AA561D084C68B3865E7A814F40CF253F0C
                                                                                                  SHA-512:A7ECE9C58E1830478D2C28CA3AD7FA7270F4D91CB66C0CB1FA6C8B60DF9EB5C526200EE13161C4F9186F8AE8A4C49900AEAE3EBE762FCC9FFCBA25ACC930CFEB
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..*...........I... ...`....... ....................................@.................................gI..O....`...............8..0(...........H............................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............6..............@..B.................I......H.......H(... ..................HH.......................................0..J.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%......o....*...0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..K.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%.......o...+*..0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..L.......(....~....%-.&~..........s....%.....~....%-.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.854004665858865
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:hSHlx2PW1bW5akNyby2sE9jBF6IYiYF8pA5K+oCGUHFl5tvx9niT:kHPAW1bWPNyb8E9VF6IYinAM+oCJ5ry
                                                                                                  MD5:80A31AF6647EE20B2BF11C959CF2B6F2
                                                                                                  SHA1:699B1AC5E0AA58077F85662824DB7613EEE2F629
                                                                                                  SHA-256:FF7B2BB2119A21DCB6BC5637967168675AD845ECC98B9CA03CDA0B33E6AC5C56
                                                                                                  SHA-512:5837112C325AF3BA01767270C65A242E21DB07D9F93A0582D63662B2993ECC84EE0533D21468B780D2F6067C9AB1AA9815E2E87E314C7058D14C4B3FD6B0F23C
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................D,....@..................................(..O....@..P...............0(...`......P'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3......................................z...............\.....0.....3.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.855645358104699
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:E+TxwFqWD7W5d/Nyby2sE9jBF6IYiYF8pA5K+oCGUHFCet6ZFUZBW:nNoqWD7WXNyb8E9VF6IYinAM+oCeb6M
                                                                                                  MD5:DD7E87359C9DB7FD20E598618AE2922F
                                                                                                  SHA1:FC88EAAAE9FBD0A2BBFCD50D596C6E4B92415F6F
                                                                                                  SHA-256:C2F129AB3052CC82762C716FA8340E3C9E27DCF90C1ACC7D7CD8BDE19218863F
                                                                                                  SHA-512:CBD18E95DC34ECD7199FD0930F6C31C373F536732C5518A1A75D6400108D94871CCCCFF006382CDCF77206D0DCB2FC0E9E68CBD2B41562A47A88D79FE1439DE2
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................|(..O....@..@...............0(...`......D'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ..t....................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.865214773597899
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:CGETSAWUEWvNyb8E9VF6IYinAM+oC6t/Z:YT1tEpYinAMxCA
                                                                                                  MD5:6E279028DB84C8CCEA36A4DFB8FD8B2E
                                                                                                  SHA1:7E93D1B484CE601657096C490A35E9B20521F326
                                                                                                  SHA-256:7FEB317E233C08040ECDF429124D63007C6B6BCF8E17BAD422C98A15462E23CA
                                                                                                  SHA-512:1D7211AB09E0076499F5A2CA2C4DB4B2F856CA62CC2AC68D068568291ADDF0AA5CFE6BA5AAE0CE4146A72CE2607CD2DBE419179DDED8567E56F26892A8C2AFE6
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............B)... ...@....... ...................................@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3............................................................T.....,.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):110128
                                                                                                  Entropy (8bit):5.512625823117999
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:KPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/i7Hxi7:KWw0SUUKBM8aOUiiGw7qa9tK/iE7
                                                                                                  MD5:931C73931BC6E2DBCB34683C2AE71923
                                                                                                  SHA1:BB5C166A81B45AF1B74FED5C6AD36813358BA3F9
                                                                                                  SHA-256:D9FCD3BD5EA8DC4E388E45BB835ACB8DEA101C272F65947366D8FE76927E4C6B
                                                                                                  SHA-512:8771A47AB96999AA2E9E6AA4974304A54AA9F67298F43B201F22184D89508C34D04E302B4659AACDE2BCAE5944779E3E788A69A2C16AC42BCF291DB25639098E
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ....................................@.................................f...O.......................0(.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.846809432296737
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:icDagtDApWSKJWVNyb8E9VF6IYinAM+oC4LsCdT:iPKBCEpYinAMxCN8T
                                                                                                  MD5:2693D271F2B9F6D14E3AEEF0079C0EF1
                                                                                                  SHA1:2EBE522B25B4C183F22A8239221BF3B52AC5FDD5
                                                                                                  SHA-256:3B78B3B56306054BF30B6EC881E24FFF29FEBE08DE44EC17294ACDFD2C0F6C64
                                                                                                  SHA-512:ABF3258FA8CE7B5A9CAC2AA50CA03D6D7D7D4820692B37407A8B4C6769A4EEB0D921FEA48DD8436B95F6EC8F57FE1D2658625266D468FF895468879B5B9C5B87
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............+... ...@....... ....................................@.................................0+..O....@..................0(...`.......)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d+......H.......P ..(...................x)......................................BSJB............v4.0.30319......l...x...#~......$...#Strings............#US.........#GUID...........#Blob......................3......................................x.........w.o.....o.....\...............<.....Y.................................................G...........V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.860267420444249
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:96NxhqWD4W52ANyby2sE9jBF6IYiYF8pA5K+oCGUHFAybofRxmAebkm:QIWD4W3Nyb8E9VF6IYinAM+oCM0YCn
                                                                                                  MD5:4BF6BE85C36275A13BDFAAA3D9A55D49
                                                                                                  SHA1:0E7B0643665F823E6FAA3AE79138103B407385F4
                                                                                                  SHA-256:22DE5910AC98140B787679D367B97B4EAE56EE6CBDFCB2790CDBFACC21F58B79
                                                                                                  SHA-512:83566A383155FBDB3F39238BE3048C3E95748C9B98DFC1906D6FB525DD146B31FBD79FE705EB14E6B0614F89EBA037FF8D22ABB32CD6EC64DD6365F1DCB8D499
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................E....@..................................(..O....@..@...............0(...`......\'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....d.......#US.h.......#GUID...x.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.787583373266895
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:zW2KxVSWzQW5g3Nyby2sE9jBF6IYiYF8pA5K+oCGUHFh/JZlpxpmG:UMWzQWONyb8E9VF6IYinAM+oCN/JPv
                                                                                                  MD5:8AB3FA586374C8F665CDEA48E03F5E1A
                                                                                                  SHA1:497791FAEF03AE27B63231CBFE41955EBB28B11B
                                                                                                  SHA-256:FEE7ECB7BEF2EFE3C6B01FA2A79FBBB430E8071DEBA438E4352B1F7E052955BC
                                                                                                  SHA-512:74F56813CA882971D5BA4C21EA9545E0C2AEE7689EF1C84FA3731BCA0CE6516920676A6833911FE98DF845E9E36066278739560CF32FAFC2ED22A31F15ED2951
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............N*... ...@....... .............................._I....@..................................)..O....@..@...............0(...`.......(............................................... ............... ..H............text...T.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................0*......H.......P ......................D(......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................z.....N.....:.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16432
                                                                                                  Entropy (8bit):6.724412451599048
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:cxDHKWAMWeNyb8E9VF6IYinAM+oClPKIx:0D8wEpYinAMxCVV
                                                                                                  MD5:F723F054F62113FDFA44DAEE679AC8B4
                                                                                                  SHA1:5279D462CE00635EEC95FFEEF7DB61586A93563B
                                                                                                  SHA-256:70A53B0BC7F8EF46BAFEDCF5AB5C4BBEA6F5AE716F9E38AB272A844CB22E607D
                                                                                                  SHA-512:FCFE41A357F312634742957781655CFDBAF261DA1F5084BCCAF7E6FA11024FAFC881D42B69925956C96DD441C302F3DFD4E3F1D6481853D5055D75E84DD0D97C
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ..............................t.....@................................. ,..O....@..................0(...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID...........#Blob......................3................................"...............1.............{.................................Q.....j.......................n...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.....K.N...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.829726456767626
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:RLNBEW6pWpNyb8E9VF6IYinAM+oCdT1qeKSL:RbMmEpYinAMxCpB
                                                                                                  MD5:88ECE5ECD98CFC34709EB39ED3F8CA46
                                                                                                  SHA1:AD0C3D223C73C7CA6D681E95A7480C51517BABD1
                                                                                                  SHA-256:9A47E35C14B0B0092EDDE88E669B0CC68388D725FB0A9D2406DBEB16914A8389
                                                                                                  SHA-512:D60589ED9C35715079CC2413CB9D31B67FB58A0C1AE9B144F5CB0AC1DEB031EC915B2815BA3A681EEDE2548CA0DFAE834B8D014D25B3F61BB4B900788BA75126
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...................................@.................................D(..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.888134245403728
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:eGKkHKW/tW7Nyb8E9VF6IYinAM+oCkNKuTMYO+/:OuMEpYinAMxCWlMc
                                                                                                  MD5:15E74C0613513DCA5D4DD727E0DD3207
                                                                                                  SHA1:1FE9A68B150B27BA0AAE00D6854ECEA060E19CE9
                                                                                                  SHA-256:323BF439BCD5EB7162B8A10C1276E4F78E3C34F45612A7F1B15DDBBB1D7D25E6
                                                                                                  SHA-512:65BDA143AB8971A371967DC3C0899531B40EF47BC5577EB10E5BB79F86BAE4195140DB28C7AEB6B41D1A133725A569A56AB9538F881BE06D0732A152CAFA99F9
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..`...............0(...`.......'............................................... ............... ..H............text...4.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................$'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................W.....W...R.D.........f.......................=.....V.....}...........q.........................>.....>.....>...).>...1.>...9.>...A.>...I.>...Q.>...Y.>...a.>...i.>...q.>.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.831431780203924
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:mLnfIWqrW2Nyb8E9VF6IYinAM+oC7Dq1bol85e:mDf47EpYinAMxCgboic
                                                                                                  MD5:6996229697B1E24DE5B12FD88D5A5CAE
                                                                                                  SHA1:FE47C6768321BF0FD13DC325925EC06955F1DA88
                                                                                                  SHA-256:DA8B015E87211DF5DE78DF1D70E24815B03D4439522E22AF45A905F8BC93A62A
                                                                                                  SHA-512:43E4D049A7A830C5BE76677A139D812DDF4701A5585AEEDF373C7D08C0370AD8CE9355D6E61C47AAA7A04714780D6A496303792A894BE99C0E51FF7895D8A2CC
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................?.....@.................................D(..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17968
                                                                                                  Entropy (8bit):6.676207828645295
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:fh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeB2cL3:fy9eEpYinAMxCA2u
                                                                                                  MD5:E9EBB2532A1867B9B03595F877447A96
                                                                                                  SHA1:6CDA0FBA52665633A00A02B00B5C68797398A6AD
                                                                                                  SHA-256:297A2F95106E444B185C95564ACF7DD345B3A030B968F14AA68347927B7FCD5F
                                                                                                  SHA-512:757B7E5187618AD926FBE82C572C1E99BB001A64E185782887378508D54ED1F1A67C0B8E19AD55C6D3BAA82FA4D59E6A8B45F59DFA941511571576026389F86A
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ............................... ....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.815870354501672
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:dZhbRtxWl8WK1W5D1Nyby2sE9jBF6IYiYF8pA5K+oCGUHF8x/6DpR5D28fRr:3na8WK1WTNyb8E9VF6IYinAM+oCY43ys
                                                                                                  MD5:0200AAD129C7AAB6424AF4B860722FE2
                                                                                                  SHA1:463C9AFD695B3D511FF63613FAEA250591BB9909
                                                                                                  SHA-256:8D4C5CF6884976BD775F9571CACDD3C5A5D4F5B4111F6F2A166FDD3BE8C73664
                                                                                                  SHA-512:36DD447951A0051E2134454DA1D34543094617C00FAC739E888983EE744A8D528C4F79E12C0048BEE3D3C522C2068AB758E06BFCBC0DD667483A79FA86132973
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............j*... ...@....... ..............................&.....@..................................*..O....@..................0(...`.......(............................................... ............... ..H............text...p.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................L*......H.......P ......................`(......................................BSJB............v4.0.30319......l...@...#~......0...#Strings............#US.........#GUID....... ...#Blob......................3................................................w.................!...........<.....Y.............................................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.764501115140365
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:oBSWITWjNyb8E9VF6IYinAM+oC3mR692kge2:o6eEpYinAMxCWRbl
                                                                                                  MD5:60763BD7655E4488DE99891C038AC653
                                                                                                  SHA1:4FBC8805D8F72DA0A550F938479FA27AFB35FDB4
                                                                                                  SHA-256:150EBE9FDDB4CCD4DB1E0099A9A8D6DE1BAAFAC0F7485D6B192E1F140C9190C6
                                                                                                  SHA-512:87326FE63C93E04741906F9396AB687C7BFC2545B49B2940698ED170CE7CFF9B06E1941AA7CE4657AB7F89DCC2904B6B96E8F48A9F0FA0E00D58EC3EFE8C7E0D
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............*... ...@....... ..............................d.....@..................................)..O....@.. ...............0(...`.......(............................................... ............... ..H............text...$.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................|.....|...S.i.........g.................f...........5.....~...........P.....9...................c.....c.....c...).c...1.c...9.c...A.c...I.c...Q.c...Y.c...a.c...i.c...q.c.......................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.876032877580039
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:w88cIIWNoWINyb8E9VF6IYinAM+oCJGXu:w9cUeEpYinAMxCP
                                                                                                  MD5:CB9B03A1A829DA4BE34DB2D81AE0CAD3
                                                                                                  SHA1:581816DA44E007D4E217250C18A37C80CFF60EE9
                                                                                                  SHA-256:E074B2D28B6B291D50A26FB826B9F5C0D0FAC9875D0FE376E62D87D74DD662F1
                                                                                                  SHA-512:8645955EAD75C37126EAA3F3FC29156383C80ECEFF816666B780BD335564DF3CD9DD031B494B08EB4323D2DE5636C0B05D6E4A80B39E2D6FDD7D3D74CD4C26AD
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............V)... ...@....... ..............................q.....@..................................)..O....@..................0(...`.......'............................................... ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................8)......H.......P ......................L'......................................BSJB............v4.0.30319......l.......#~.. .......#Strings............#US.........#GUID...........#Blob......................3..................................................*.....*...c.....J.....w.................v.....,.....E.................`.....I...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22576
                                                                                                  Entropy (8bit):6.6208384922553005
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:AkUwx9rm5go1fWKmmW4oqN5dWjaWxNyb8E9VF6IYinAM+oCowXwdpI:vrmoFmWXX5EpYinAMxCbV
                                                                                                  MD5:F07970272436BDE14C717AA6FB6EE787
                                                                                                  SHA1:7EE8D69F3D623A41EA484A3DF884EC45F5D3E35B
                                                                                                  SHA-256:611EBF3B158310837987FDCE1F2081621B5149EB9184E1A64CB7D9441D681FE1
                                                                                                  SHA-512:AF2ED31F1564E4F83E1265D1232130E3308F69CDFDEEEE351A2B71461480EB3178108DC466BD3369F917BC7B0243D5AE0CB89813FAB983F08DA25A7F2E9CDEE1
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..&...........E... ...`....... ....................................@.................................PE..O....`..x............0..0(...........D............................................... ............... ..H............text....%... ...&.................. ..`.rsrc...x....`.......(..............@..@.reloc..............................@..B.................E......H........$...............A.......C......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r/..p.(....*......(....*2(.....(....*^~....-.(.........~....*.0..........~..........(.........(....-Y..(!....{/......5..,

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):18480
                                                                                                  Entropy (8bit):6.676697242770522
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:J09bOAghbsDCyVnVc3p/i2fBVlAO/BRU+psbC984vmJHrE1dtx66aI2sU52RWVsn:gOAghbsDCyVnVc3p/i2fBVlAO/BRU+p1
                                                                                                  MD5:775AFBF01588C7589D1BD212228B773A
                                                                                                  SHA1:59606BBFE270C902433CF4AE14F7B79A79803575
                                                                                                  SHA-256:16D4AFFA6D67631E5B00B563EC9866844615ADA141FBBEFAFDDC76288A11DA3E
                                                                                                  SHA-512:1C47371FE6FBCB91236039A386C32FEB46C351C805E9F4E3CA6B67FC65FB46E58362218F2805ACA5831A54234581DB5908A2C75E5A52B1FB918C93A65326D9C0
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............r5... ...@....... ..............................m_....@................................. 5..O....@..P............ ..0(...`.......3............................................... ............... ..H............text...x.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................T5......H.......P ......................h3......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................r.....................e...........4.................3.....L...................................R...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.832534352209227
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:clYx4AW6RW524Nyby2sE9jBF6IYiYF8pA5K+oCGUHFt7kRCh/xl:H7W6RWLNyb8E9VF6IYinAM+oCZ7LP
                                                                                                  MD5:CB03FC4364E123ECB3F9EC8C9C0EBD3E
                                                                                                  SHA1:5FA9207A2C652B401D7E789B2E9F8115E06A6C61
                                                                                                  SHA-256:75258974E26A6F8A5F77C9E37226A019F92BF779F893AC096CF76C11DD53D8AD
                                                                                                  SHA-512:F711DCDE1CA8C6441976CD2014FDC81945AEE31BD55A913D1849299D873B2A3EED95777368BF28247C7E1C8391E373A2F743B6493073B0A778FBB91B16B5D663
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ...............................6....@.................................T(..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......4...#Strings....(.......#US.,.......#GUID...<.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.923044192027933
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:bI5HeWFwTBsW9Nyb8E9VF6IYinAM+oCuKGS:bI5HFwTB3EpYinAMxClF
                                                                                                  MD5:0AD9DC0EC16347B1D5C63ECBE30311D1
                                                                                                  SHA1:D6017E36A76241CA73170064360C50BE64C07688
                                                                                                  SHA-256:A649DA0189A64F11A02BDFE96FD0E98F36A6F39CCF19B02A503D476AB01946BE
                                                                                                  SHA-512:41F9FA8D3A1C09369A6DCDE2824F670DD79839AF08C488E3B4B0C3A3683ECD708483B01FC0642D51DBFED28ED50BD316BECEA40D8E08D60BA2D22E48F17E599E
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@.................................|)..O....@..................0(...`......D(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ..t....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....@.......#US.D.......#GUID...T... ...#Blob......................3............................................................U.x...........................~.....4.....M.................h.....$...................r.....r.....r...).r...1.r...9.r...A.r...I.r...Q.r...Y.r...a.r...i.r...q.r.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.893205476830528
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:2AJpVWbfkBnWdNyb8E9VF6IYinAM+oCn2+bc:2AJpWfkBEEpYinAMxC8
                                                                                                  MD5:9BF8F9A5BFCCEEFAA114EBC6F70808AF
                                                                                                  SHA1:6D0DDB18EAD8F7BB12EBEB365638A62A32702C09
                                                                                                  SHA-256:2A4AF3551AFE55DFB2A5021648584806E1DEBB6BB2FA5B95629864675C62F108
                                                                                                  SHA-512:4119F4DE9D71D56C7D1011049D53D1FE9C2AAE0AD4E6E0D7B772263563E8C015624AC0F42068D781165AFF6818D572A0B7418DE8BE0D27C703DE23B5AD26ADDC
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............>)... ...@....... ....................................@..................................(..O....@..`...............0(...`.......'............................................... ............... ..H............text...D.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................ )......H.......P ......................4'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...........@...\.@...0.-...`.....D.................C.................[.....x.....-.........................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.#...C.>...K.^...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):21040
                                                                                                  Entropy (8bit):6.543654661703608
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Q8R71h7yzt94dHWFgQBVWeHWFyTBVWMNyb8E9VF6IYinAM+oCRNuk:R1dyAqgQBfqyTBjEpYinAMxCj
                                                                                                  MD5:131FE34C147488474B3780ECBA9CA2B1
                                                                                                  SHA1:80222449BD692B2B0BC0697EEE10E5F28F5553FD
                                                                                                  SHA-256:C98A37553629E21D6282620FBE96CFE5C32CCC599D64D26C10595DF9C7DCB6B4
                                                                                                  SHA-512:ADED1960251A4D4F6E79BD07361C1E6C94279F9921707DD719450B32E1DA296DFB4571FF0ADA9E9A51ED550F463F2284AD7F7FDBB185CCF8F34ED162B6477CC0
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............8... ...@....... ....................................@..................................8..O....@..8............*..0(...`.......7............................................... ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`.......(..............@..B.................8......H.......|!..l............1..p...X7......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*..BSJB............v4.0.30319......l.......#~..h.......#Strings....\...4...#US.........#GUID...........#Blob...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):18992
                                                                                                  Entropy (8bit):6.683203744220023
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:qpsBljcZQIVI8CNwbcyMWs4oBOW9MWG4tBOWUNyb8E9VF6IYinAM+oCZ8oCLjw:QsPMQMI8COYyi4oBNw4tBEEpYinAMxCn
                                                                                                  MD5:2AC6BC6A2D827227FE6CE644FFE8D73D
                                                                                                  SHA1:A80FA5323B867297D26B295B91792BC5F5F3C758
                                                                                                  SHA-256:25C5204CD765A9CB6086034BEB6323E052F7C4E4FE92D2886727674212DE86FB
                                                                                                  SHA-512:3ABE1DB508A5F46CB252A06D58D4097579BDD2D2DD8C498918F713C880C9248E8EDA36A0045AA7102A0693D17C0BDBFCC351896CEE39E735C89ADC4E31205A97
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............3... ...@....... ..............................N;....@..................................3..O....@..............."..0(...`.......2............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................3......H........!..0...................L2.......................................s....*..s....*..0...........o....u......,..o....*.*.0..%........s..........(....r...p.$o......o....*:.(......}....*..{....*.(....z.(....z6.{.....o....*:.{......o....*.(....z:.{......o....*.(....z.(....z.BSJB............v4.0.30319......l.......#~.. .......#Strings....$...0...#US.T.......#GUID...d.......#Blob...........W..........3............................................................................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):23600
                                                                                                  Entropy (8bit):6.317248152653794
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:/bhigwLAuZtM66g/Id7WVXWwNyb8E9VF6IYinAM+oCdTtC:/bhzkKs1EpYinAMxCK
                                                                                                  MD5:AF91C40C3BD107071976AF46B3CE34A6
                                                                                                  SHA1:13F72EE267C47D8B08C1CCDD03F88E3CA56377B4
                                                                                                  SHA-256:39285F2D570EF2E8159A95B2BD58F0B43157B33FF3635BA25591E5BDA71EFBF5
                                                                                                  SHA-512:002520D27A22D70B2D09AED91B7475F20EF4003B949A4487C4B6E6E96867527B6B94F9E84B686DD18E0F9A82543BB7B472D3FB9D21509A744B2A54097A59D07E
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..*.........."H... ...`....... ....................................@..................................G..O....`...............4..0(...........F............................................... ............... ..H............text...((... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H.......P ...%...................F......................................BSJB............v4.0.30319......l.......#~..........#Strings.....#......#US..#......#GUID....#......#Blob......................3................................................_.........................8.....8...*.8.....8.....8.....8.....8.....8.........*.8.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.86896886618503
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:QUcX6W9aWmNyb8E9VF6IYinAM+oC7y5a+me:QUchSEpYinAMxCmH
                                                                                                  MD5:14058F5A666BBFD6BB646E746D5B48B5
                                                                                                  SHA1:F31F08C97261D9D09CB4E02BA2EBF53F426C897F
                                                                                                  SHA-256:926175A6649BA7C13A8F342EEB65E7417332AA394B8F39965E198B46EF729950
                                                                                                  SHA-512:CD4EBF748E0E6B9B632465D54BADA1E6819767133E7C8705BD3391ECCC5338FF6D513720ABD9CFC99FB087120496BE4CC0F440A793C6E7A9473EAC97008CC793
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............B)... ...@....... ....................................@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....(.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):41008
                                                                                                  Entropy (8bit):5.951328363917011
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:zoBj7kS+8mjvHTeaWKs0Sd4eerEpYinAMxCpP:+Pmb9WKs0PeeE7Hx+
                                                                                                  MD5:CED72FC79E6D4FF16B9A76728887E509
                                                                                                  SHA1:D687D052C038FB471D7D6D46D8DBC73CB7A07067
                                                                                                  SHA-256:7E0006F103956A9D641B2DBB9A47E3B21C91F5190C5624C2AB4B846FC3F451C1
                                                                                                  SHA-512:562DCEA613662A0321F35B77C9969162F52100BA2C0D8DC400F8BC0A428A52FAAE6D286C06E32C648EEFB4A26FADB2C569C69E6077DB6162F1C98C80C799D056
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..h.............. ........... ...............................?....@.................................u...O.......8............x..0(........................................................... ............... ..H............text....f... ...h.................. ..`.rsrc...8............j..............@..@.reloc...............v..............@..B........................H.......P'..\8..........._...%..,.......................................j~....%-.&(F...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rI..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r9..p.(....*2rm..p.(....*2r...p.(....*2r...p.(....*2r=..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.896928440934084
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:zTI2pWPzWKNyb8E9VF6IYinAM+oCWxypAkr:zE3bEpYinAMxCpphr
                                                                                                  MD5:DA2F1512E50E51DB617CFF52FD28D01A
                                                                                                  SHA1:F91665918E0614A5C5C3B80DE3A9D802E1E95708
                                                                                                  SHA-256:2048F20BC6E12BE1BF7FB2E069574B6FFC98575AB47F6951CB2C5ABB653DAE68
                                                                                                  SHA-512:5BB5A158C28E1E49A3670CD214D316629F6F90B0DF9139D5ECF82ACE69604A3F16B9CC0A14C1B838C246EA7DDB51549A4E8A86435105B69D9B1C68051EE654A9
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............^)... ...@....... ...............................D....@..................................)..O....@..`...............0(...`.......'............................................... ............... ..H............text...d.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................@)......H.......P ......................T'......................................BSJB............v4.0.30319......l.......#~..,.......#Strings............#US.........#GUID...........#Blob......................3......................................z...........A...\.A...0.....a.....D.................C.................[.....x.....-.........................(.....(.....(...).(...1.(...9.(...A.(...I.(...Q.(...Y.(...a.(...i.(...q.(.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.910345815931198
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:icezoy4W04WFNyb8E9VF6IYinAM+oCmpT1O:iBzoy+DEpYinAMxCd
                                                                                                  MD5:169707A3381CD292BD7292A4B9D1C2CF
                                                                                                  SHA1:CE776869CE9BA7E86CC79090D33D681179BFA205
                                                                                                  SHA-256:36AFF4C1AE832E79382C27316A537F7D763B1A5D7CBAF7459AA58BB3D820AA8B
                                                                                                  SHA-512:AB905C75BB2ABE4BB9089017F10A693B4807C130135BAB4200674E2122880577386639BCBA30219D858A036A7E3529A6A26BB0ED1240473B2424E8040B6547EA
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............~)... ...@....... ...............................z....@.................................,)..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`)......H.......P ..$...................t'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID....... ...#Blob......................3..................................................f...o.f...C.S.........W.................V...........%.....n...........@.....)...................M.....M.....M...).M...1.M...9.M...A.M...I.M...Q.M...Y.M...a.M...i.M...q.M.......................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.798868146749093
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:cWgHWexY+WKpW5ryNyby2sE9jBF6IYiYF8pA5K+oCGUHFjekeA4hVe:CH/JWKpWwNyb8E9VF6IYinAM+oCXj4a
                                                                                                  MD5:7C7ECA9268D236DBC3D38D1BC35F55B3
                                                                                                  SHA1:C55649A5E3640D6B84FF2E6C81380BCD185AC382
                                                                                                  SHA-256:76FC7D0D1E6D3E2347B2BA45CA1AA524173EFA515FC01432B3EC835F7698C94E
                                                                                                  SHA-512:848FE242579CDFEF65D6081ADD4D84E29FB8BDF97DF0DA4FE7A0D33B635DA8D3D5E4A47D6D02229D7F92BF73836DE79C0A6F1E37A36063EB56B3D3F38F96A8FE
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0............."*... ...@....... ...............................G....@..................................)..O....@..................0(...`.......(............................................... ............... ..H............text...(.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID....... ...#Blob......................3............................................................o.s...........D.....D.....D.....D...8.D...Q.D.....D.....D...l.....U.D.................m.....m.....m...).m...1.m...9.m...A.m...I.m...Q.m...Y.m...a.m...i.m...q.m.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16944
                                                                                                  Entropy (8bit):6.745446603238014
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ZTjbocNsWMhWbNyb8E9VF6IYinAM+oCtLnN1V:dboYy8EpYinAMxCt/V
                                                                                                  MD5:7693637CC6EF9E68E36C7F4077AA380B
                                                                                                  SHA1:8930E57AC50545B83424D57190020B09E851AAC5
                                                                                                  SHA-256:25401F34A2134DFE37753C88C3EBC0DE56FF2AB7129C39561465C1BE2CB25AEF
                                                                                                  SHA-512:61D7BCBF6C44DDD6F0DA80B3343623E6D2945EC23BDA018242CE362B15D2212F13B14D0CAD71C0D242F8B3CB0A54A0338B16FE81793FAD20E4903EBBFC521319
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.................. ...@....... ..............................*.....@..................................-..O....@..................0(...`.......,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................,......................................BSJB............v4.0.30319......l.......#~......|...#Strings....x.......#US.|.......#GUID.......(...#Blob......................3................................'.....).........u.................=......."...:."...W.".....".....".....".....".....".....[.....".................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;./...C.J...K.j...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.843058770096932
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:c4fExAJsjWVWhW5W9Nyby2sE9jBF6IYiYF8pA5K+oCGUHFvpHIq8aPQp:jSKiWIhWCNyb8E9VF6IYinAM+oCLp8pp
                                                                                                  MD5:C2533F5E37D64C4CCE5C8D4BB95C4D46
                                                                                                  SHA1:FDA124A70A00FEBFFCF3FFDA41B6EBDFEF9409E2
                                                                                                  SHA-256:5D6DFB62B1C8612F34051D5C97A9B1724632C4986A1E7DC457A4E5E343B2C773
                                                                                                  SHA-512:D1DEA8C559007059A853AD96774B1BE0ADD20AD3964BAA2BA8CDDCD0E139D3B7F90108DF386B0D7C738EEB438E3E02E9EFAB5E98F9DC39BBACD40077FE2B5A2B
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ....................................@.................................t(..O....@.. ...............0(...`......<'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..l....................&......................................BSJB............v4.0.30319......l.......#~......@...#Strings....D.......#US.H.......#GUID...X.......#Blob......................3......................................................\.....0.....'.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16432
                                                                                                  Entropy (8bit):6.7905252400346585
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:UT0KbZWApWmWTpWeNyb8E9VF6IYinAM+oCkp8ewd:UIKRylEpYinAMxC3fd
                                                                                                  MD5:CACA3160EE4426170E66FA0863F229E1
                                                                                                  SHA1:28A6611F8263E342AA23812A74EBE20CD9B8C235
                                                                                                  SHA-256:DDB20FDAEF5F18C2D7DD591A6EBF8EF6DA437FA69ED8CA100545C7D3E7D2B5BE
                                                                                                  SHA-512:B0A344EAA2C7C8ED8C63F07370D592D9B16364029FB5608EDF5E1B172C1539C8E1071A7E56BC7513832D55A8AE5A96B1A133FBFC4968A4340A51103E88E0C490
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............)... ...@....... ....................................@.................................>)..O....@..................0(...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................r)......H.......p .......................(........................................(....*..(....*..(....*..(....*BSJB............v4.0.30319......l.......#~..........#Strings....`.......#US.h.......#GUID...x...(...#Blob...........G..........3.............................................."...........C...........u...............m.b...........J.....J.....J.....J...6.J...O.J.....J.....J...j.C...S.J.............................P ............X ............` ......4.....h ....................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.874303280973402
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Ub1nWCXWzNyb8E9VF6IYinAM+oCnY3chk:G7SEpYinAMxCa
                                                                                                  MD5:E53EFE89896BB9F08203FD90DA7BD38B
                                                                                                  SHA1:C59907873E91FA42A65137437D01A3A327DA4438
                                                                                                  SHA-256:E1D577ECD2560E125DFFE2D4FBA81B75B4EF4E09A385957069779F945CC85280
                                                                                                  SHA-512:44B3003FE9C5742F5B597DB51C9369D910EB1F270CA25B8FFFC107C87E1021F59907EBCA4D1CD72C40DEB921E91481C7DE2F66365B08FDF932A4E7DC8B0DC278
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ...............................S....@..................................(..O....@..T...............0(...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~.. ...t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....6.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.7756158533202395
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:vTyW7TWWNyb8E9VF6IYinAM+oCRr9Y1z+:LfLEpYinAMxCYC
                                                                                                  MD5:E5C57CD7176B3BEE7D9452B1C212BC96
                                                                                                  SHA1:ADF073E730030D28051B378E4B9B1885E9792256
                                                                                                  SHA-256:93DFE34B332B853F3244A35794F2446C8D1AF9998572E18B2C66EFB91408C201
                                                                                                  SHA-512:A6CADA7FA2FCAEA2F929BC3374CFADE04A5B85CAA357BD3969F1546B55C285DC0398204E5FC783CB439130D134E0C61623A16F818DB19687F8FB300C0684A681
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............2*... ...@....... ...............................z....@..................................)..O....@..................0(...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...0...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.7.....7.....7...C.7.....7.....7...[.7...x.7...-.0.....7.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.9090433068080275
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:V6Rb32WVzW+Nyb8E9VF6IYinAM+oC0R1H:sRb3dfEpYinAMxCC
                                                                                                  MD5:3DB50CDA65D7FB3624A42C32DC7F0788
                                                                                                  SHA1:4706E50247AB4ADB707D62A7EC983056020555A6
                                                                                                  SHA-256:3FC6D41341952107FF61281301E9151CC8698B2B639CDC702DB7892DC1AAA52C
                                                                                                  SHA-512:365B5CCBE40A3B7D34C0C4A762B14010735B5B4A41EBDC77553F6909F175342ACD68243042C07940355EAB6D32422E4912700DA96721337EFC69802FE907B29B
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@.................................t)..O....@..P...............0(...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................K...d.K...8.8...k.....L.................K.................c...........5.........................2.....2.....2...).2...1.2...9.2...A.2...I.2...Q.2...Y.2...a.2...i.2...q.2.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):31792
                                                                                                  Entropy (8bit):6.536607270841918
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:Du5I+sqOylryry8qqIfUc7a5FEpYinAMxC6Tw:DYIVBpry8qqIfUcm5e7Hxzs
                                                                                                  MD5:538B08D8E5D718AE71BAD5A3D3CF6C94
                                                                                                  SHA1:6B9D97968FF9BC1B83DD4E643553074E90F41C28
                                                                                                  SHA-256:4B04CEE0628125C0377B31D2AA321F0A6F6E2EABDD40C0BD99DFFAC0673F3EEA
                                                                                                  SHA-512:73D76A5A5D080B0E09363AB38785EDEAAC67BC0D6C00199E683910D2C3D2B7304C394AEA1848547688A592CA466AF7E943C36C6307249A3E9D3E099DD48C2ADE
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..F...........d... ........... ..............................DG....@..................................c..O.......x............T..0(...........c............................................... ............... ..H............text....D... ...F.................. ..`.rsrc...x............H..............@..@.reloc...............R..............@..B.................c......H........&...7...........^.......b......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rK..p.(....*2ry..p.(....*2r...p.(....*2r...p.(....*2rc..p.(....*......(....*..0..;........|....(......./......(....o....s

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.877555047522914
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Bvn4HREpWiQWRNyb8E9VF6IYinAM+oCeWDJLzS:+SLEpYinAMxC/S
                                                                                                  MD5:688CD6D90CC4D2E0F6A130ECE1FACAB1
                                                                                                  SHA1:D2B46B07262A3BBD38FC009456B1536B213F5095
                                                                                                  SHA-256:8FA61D74E08B4542521D4D50BED918EDBB5E504AAA649E4AC126779DAF4E504E
                                                                                                  SHA-512:204EB7BC0485EC5C432088D2F4005BBDB221D0C4E1ADE70C3CE2F685D0AD5770870C04EB8DF9531B1B003FF9BA4BC2C63DC1630816BD9681FB56A50DA32AFAAB
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................eM....@..................................(..O....@..P...............0(...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......l...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................n.....B.....".....V.................U...........$.....m...........?.....(...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16432
                                                                                                  Entropy (8bit):6.774196906426326
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:v8MjKb47T3UCcqFMkJ59WdtW0Nyb8E9VF6IYinAM+oCo/M5:kMjKb4vcGdOfEpYinAMxC/5
                                                                                                  MD5:27AF9489A77495A2692D49E95B8F1D98
                                                                                                  SHA1:0B1D6BEABEB9079213AB0D6DA86CAE1100D0FCB2
                                                                                                  SHA-256:3ED06370BF9C0B1A41DDFAE104EEC32F11F66926F6C1BB3D2053AF1F4648FFC6
                                                                                                  SHA-512:D58702C87A4E961DA8DDF59546733C2855A1ED6F6DB334661927E59E3B4E9A59A56824B7E022D60112FD48CFC737CF68CA5F5EF33FCDFE8E2BF34952E81B5896
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ..............................M.....@.................................`,..O....@..................0(...`......(+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P ..X....................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....4.......#US.8.......#GUID...H.......#Blob......................3................................!.....O.......................................].....z.............................7.......j...........n...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.857245131328711
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:EzyNXd4+BW6FW9Nyb8E9VF6IYinAM+oCDYh2uVTA:5zKEpYinAMxCcfA
                                                                                                  MD5:84E1CB538F2150601126F664F634479B
                                                                                                  SHA1:A738F801214D9E81E10938B8EEB3457814CD50A2
                                                                                                  SHA-256:94CE090093F9A6C10B138614A0D57ABD7000C23FB118905C0E00A7132F1D6990
                                                                                                  SHA-512:F9024C483AC145303AF496CA84FCBF54BD7079266EEC2B2599F9DE86A1BFED731CF807919ACB0345F2B44680EB6DEE83312B5C8887BED8ADD1DBCECAD456D8E0
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................<_....@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...p...#Strings............#US.........#GUID...........#Blob......................3..................................................'.....'...T.....G.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.863897497502461
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:gvs2Q3HKJNrWWRWS6Nyb8E9VF6IYinAM+oCm8lwE:guMmEpYinAMxCPiE
                                                                                                  MD5:723420ED3393D954FB8A33CFC95F7098
                                                                                                  SHA1:61901C9288F3B354643FD62FAAB1F1D25F85BC10
                                                                                                  SHA-256:9F42B6267CB4DDCC90E7FD2FCD2C423C074BAB7402DFC0332C548DD87E1887B2
                                                                                                  SHA-512:C31DA6A702E77D2B31CCB55A1DFFE5DA903DCADF5145416C0ABA2C918D9BCD4E56F6FA961E856224C45A97C0BCA5A4B9F993498F49013842C3ADD43C2E5DD212
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..4...............0(...`......h'............................................... ............... ..H............text........ ...................... ..`.rsrc...4....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....p.......#US.t.......#GUID...........#Blob......................3................................................../...q./...E.....O.....Y.................X...........'.....p...........B.....+...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.829635354773763
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:QFz0Q6gcqRhcsMWdMWtNyb8E9VF6IYinAM+oC9Jt1hkp:QFz1c6jEpYinAMxCLxg
                                                                                                  MD5:C38B8242373BC54A1CE53B2271EE53A0
                                                                                                  SHA1:A5D2E06B1C8413325998D080AC935C207FCF21C2
                                                                                                  SHA-256:D3058087C594565F615803F454D9E39533E12A089DC26AA62D5D2DD9885153F6
                                                                                                  SHA-512:4288F69D514C833C2D6C851FC30FA7262D5F3C30E5F2DE2CE271FFEE7F5D43610B6A3688A73FB2524A3949B169814195DD5C6D379EB635B2F741AD99588C7865
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ...................................@.................................L(..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..D....................&......................................BSJB............v4.0.30319......l.......#~......,...#Strings.... .......#US.$.......#GUID...4.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16432
                                                                                                  Entropy (8bit):6.723766249793486
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:96xWA3W4aW/NWgNyb8E9VF6IYinAM+oCIJs0B:9aBbEpYinAMxCa
                                                                                                  MD5:7FD709C698C4096B3D115A860BBC5B7F
                                                                                                  SHA1:5C4B0725DC6FBA9359CCE7DE23C2F9EBFB61BDD1
                                                                                                  SHA-256:A465222CF8A4C464E5247C6D07C3F7EA22F48C9ECF266AD942FA07E4956F4204
                                                                                                  SHA-512:16C0D7D48C2F56614EA2C9A71E730475516065BE38A679EC58F17A47A112067D6473E190202F3A7FDC52EA0C0883A07CC44D24E22B3CB70326F1413AFDBE894F
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ....................................@..................................+..O....@..................0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P .......................*......................................BSJB............v4.0.30319......l... ...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................-.........O.k.....k.....X.....................1...........o.........................B...........9...........J.....J.....J...).J...1.J...9.J...A.J...I.J...Q.J...Y.J...a.J...i.J...q.J.......................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):73264
                                                                                                  Entropy (8bit):5.954765955203869
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:Y784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRy:Y7N1r9KGI04CCARLy
                                                                                                  MD5:EA41EDA99391A64C120A49E9A7B91811
                                                                                                  SHA1:FABD435621BE2F3EEC6D48ED1046E4DB23FBA540
                                                                                                  SHA-256:1EE33AF829CF9FDA86DCAB82CFE9E24A32BBD5CE63921F6C67F0F63B481CD4FB
                                                                                                  SHA-512:348B94CB4C352747E7448FA568D3BBD36682487A95D9DB2204B24D2EB5CBC67EAF87D2CCCE89CD9143882EA0F3EA6D146EEB93A1E9DC6320364D17C7728EC78D
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`...... .....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.853246150275349
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Er97WquWeNyb8E9VF6IYinAM+oCkp91xN:ERJWEpYinAMxCe3N
                                                                                                  MD5:20DB2310CCE6772B101B2346F0D66C8B
                                                                                                  SHA1:1E63CD8E7315BDDC1026239EB686FDB5F1AE8164
                                                                                                  SHA-256:B3FC0B34EFD73E3E8F48E56F72B9D7F6DD83C41E6958C758F457EAD82C73B84B
                                                                                                  SHA-512:3666BF918F0AC459D432FFDD9C14256621FF0D71B86E90C40ED39FDAA5E2FCD462D7D17C6894C03DBEB0F869E73A1BA753558EF6286DED42F91AF2EC8634C164
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............+... ...@....... ..............................4.....@.................................\+..O....@..................0(...`......$*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P ..T....................)......................................BSJB............v4.0.30319......l.......#~..T.......#Strings....0.......#US.4.......#GUID...D.......#Blob......................3......................................z...........j.....j.....W...............B.....z.............................................................Q.....Q.....Q...).Q...1.Q...9.Q...A.Q...I.Q...Q.Q...Y.Q...a.Q...i.Q...q.Q.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.796004255126891
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:c1h2uxSleWLDW528BNyby2sE9jBF6IYiYF8pA5K+oCGUHFMsl22A:w16eWLDW1Nyb8E9VF6IYinAM+oC4t2A
                                                                                                  MD5:0EE23CD6E503593A3400D16A880F7C13
                                                                                                  SHA1:9153C658DB9E5069E1064066598B9B2DB0BCBDAF
                                                                                                  SHA-256:35F6AECBDC2A790EE538E2EDD5B23431EEF376FFE9FAADE9A2DFC93E6FA1541D
                                                                                                  SHA-512:818FAA10D07C4B53CA680580D6F5DFF86D9985B13814841908AB63FE1ACA404294A30109B5DF16AB9ADA0045675CA6C8F356D4162979A43056B6E82F1BE91514
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............*... ...@....... ..............................W&....@.................................|*..O....@..................0(...`......D)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..t....................(......................................BSJB............v4.0.30319......l.......#~......8...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................z.....z...u.g.................................>.....W.................r.....[...................a.....a.....a...).a...1.a...9.a...A.a...I.a...Q.a...Y.a...a.a...i.a...q.a.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16944
                                                                                                  Entropy (8bit):6.786559582232923
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:68G4YC2W+wW8WpwW3Nyb8E9VF6IYinAM+oCPaL:1GZ5ZEpYinAMxCg
                                                                                                  MD5:657D075104BA442426EC0A7AFE1F0FDA
                                                                                                  SHA1:B623C8A162B946C251C26049F8CDAF532212F8DB
                                                                                                  SHA-256:2F89397F0BF17A66C6D3F8646677C635BC74C886D98DD70012D95F6BD56D9D0E
                                                                                                  SHA-512:E4E8852ED5573E723254FAA3D2E55A00C4DEF6275FA1B36665C51EAC444DAD9CB566E9CF2949CB2BC0289ECD0CFF5A8C119B9F02F053544D8975935F4F573958
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............+... ...@....... ..............................W.....@.................................z+..O....@..x...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...x....@......................@..@.reloc.......`......................@..B.................+......H.......t ......................P*........................................s....*:.(......}....*2.{....(....*BSJB............v4.0.30319......l.......#~..0.......#Strings............#US.........#GUID...........#Blob...........WW.........3..............................................................L.........4.H...}.H...u.v...........;...........;...=.;.................../.%...........P.....m.....................................v...S.......v...d.v...........v...m...............

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.898265155274898
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:N6ziqTEkGWvRWpNyb8E9VF6IYinAM+oCKPzl:NYT1yEpYinAMxC0h
                                                                                                  MD5:679BA5E3B57D62F3AC695630A066C64B
                                                                                                  SHA1:E9BA89E63690699B774915833B12738D634D70A2
                                                                                                  SHA-256:64C4854A8CE1E6935540D4E8FE12CA5EE8E952A2E409BB5821C2700B5FEC6062
                                                                                                  SHA-512:7214FE3D47A9D733A5E02F5EF87D4FCB69BBA7313213143E3C56DF66C97BFCD257F21181C4A2222E512FA5F5E4EB0E87E5D23090CF5B2449D16BC42E20F513E2
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ...............................D....@..................................)..O....@..................0(...`......d(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3................................................'...........~...................................G.....`.................{.....d...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:modified
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.8103116939703945
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:YUv7c7iWNCW9Nyb8E9VF6IYinAM+oCILT5Tb:YM7c1VEpYinAMxC0Fn
                                                                                                  MD5:64D1B67423F6C8EE6D8612DC727DE842
                                                                                                  SHA1:B8F766D3BE3F4AA607945F4A34AF0F0EB8038DA2
                                                                                                  SHA-256:C3EDF0F04C7B994628AD732CDDAEE0B5E93097E5638EEC510082B7B9C007EF9E
                                                                                                  SHA-512:5236B5F9E68827C0C85B2AC68859C3884821B194884F81C1A472BCB043E4F84DBDA52E2D7237CD2DDB542339070DE6C84C9014CE6A1274D2CA0D1A3A311FC95A
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............*... ...@....... ..............................2.....@..................................*..O....@..................0(...`......`)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~......l...#Strings....l.......#US.p.......#GUID...........#Blob......................3................................................4...........~.............H.....H.....H.....H...T.H...m.H.....H.....H.........d.H.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.85387595688575
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:J+vxmNWnRW5x+Nyby2sE9jBF6IYiYF8pA5K+oCGUHF8C8cbmwF:MSWnRWmNyb8E9VF6IYinAM+oCIQBF
                                                                                                  MD5:861F1D0A0700A51CA1834244E23A47F9
                                                                                                  SHA1:A260DD223449DA3D7647EF74548E84719FBF2137
                                                                                                  SHA-256:B31397D061644C6602102BE0E7F236569C581395931611C92DEBB49593D0DBAC
                                                                                                  SHA-512:29F733F148867B0B55BC2B25E2DD3D9746C5D61626766B3FAC538E750EF1739C2309688FE0C7EE27CD092087145FBC719EB8C2FE380604C5B5B513FEA544CB15
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............+... ...@....... ..............................\.....@.................................L+..O....@..$...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................+......H.......P ..D....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings.... .......#US.$.......#GUID...4.......#Blob......................3..................................................k.....k...U.@.........i.....=.........................................&.....'...................:.....:.....:...).:...1.:...9.:...A.:...I.:...Q.:...Y.:...a.:...i.:...q.:.......................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):92720
                                                                                                  Entropy (8bit):5.484731092201892
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:u2Ec05j4eAH64rh5fSt5T9nFcI94WX7Hxpb:dlK4eA7mDmWXvb
                                                                                                  MD5:46805C5101DEBB9EFB06CF21CCBBB502
                                                                                                  SHA1:E84A3D28B002F70B346B49C452924AFCDFDBE151
                                                                                                  SHA-256:FFFD8634C2687F4B893563A98D82C7A558A0D0E66670CC2D2094526C45485A4C
                                                                                                  SHA-512:B40F703C7BF1AE6C75AE50BD2DF1A3689B06F9613B67C339F74B3FCFB555FB2FABA253D7A59A8FAC754E27957E690588EFDC27C231D40C4781DD30704E181867
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M..Z.........." ..0..8...........U... ...`....... ..............................Ta....@..................................U..O....`..,............B..0(........................................................... ............... ..H............text....6... ...8.................. ..`.rsrc...,....`.......:..............@..@.reloc...............@..............@..B.................U......H.......P ...4..................,U......................................BSJB............v4.0.30319......l...|...#~.....d...#Strings....L3......#US.T3......#GUID...d3..x...#Blob......................3................................q.....2B........e$.M...,.M.....M...4.M...1.M...1.M..v..M...*.M...*.M....p...........................!.....).....1.....9.....A.....I.................................#.......+.......3.......;.J.....C.f.....K.f...................2.....................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote.zip

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                  Category:dropped
                                                                                                  Size (bytes):342410
                                                                                                  Entropy (8bit):7.999213117338456
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:6144:otuQkXtVeRpkpEsUwAV07Y0CvizbOTLHffCbbVSuQaUEjt2:4hkXtqk5YV07Y0lzbcbCbbVSHaU42
                                                                                                  MD5:4969C7AC075ECA1E6E6A22F95CD03017
                                                                                                  SHA1:330AA9A926B8B42FA7A2B036FEEC1DEE0300E54D
                                                                                                  SHA-256:B66E795D7F12ECE6E371070CB8A0C548986E2E89D1C70C484773715E1624EAEF
                                                                                                  SHA-512:8D28339259224B52DD72B917018E634944CD94B09D8A82894695C3E642245B7BA7F8B64C4846CCC1826ACFF3527DEB29A3BAA9BE0134C886112AA2BC0FF9BFF5
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:PK..-........Y...........-...AgentPackageSTRemote/AgentPackageSTRemote.exe....0.......@n......j..p-S0Rs.........t.`9..{.....y[......X#..D3....EL.P..{m...R<y.}r..x..Y.C.=>..E_x.(.53....^b......HQ-.....O".WP$oW~R.\.<Y.."J/...H.ZOFC.8.bm.z.D...XFk..f.....4.*.i.B.....yR.O...f....../..Jf.i.z..L............pat..uyS..@Et.r....7....W..\s`.n..".+... ....C...p.2+T._.2.q....U..UO.).+.^.....<7...[VqSX.;.Tq.X....4.@.T..Iw?......!.;x).].:..4...-...sQ.<.iPrrK..WQ&Z.sY..*.....!..OD..>................ir.*.m..+..Q.0?.......I..p.3x..a..g...6z;.'....K...B...p.M..A..9....%...Z|..hs.^...@F6C.9e%..k....7..L...24.T.H..}7.m.....e.].+....J...T.....O.[|..=......c..5.................L.......a..59.R.W7.Rdi.)....-......H[..Ep........'.rP......E;.cP...%.uZ.?).B..j+.\.^.H..Nu..}.fYnI.J.P.m..X..$.`..<.s.y,.....Q..'...".i.x'........tZY.......i.("....>..........Z.].G!.@.a..b.>.|i>T......d.@..T.....T.VS$..S..*n..<.,.,...v/.-.r...b..d.....K.o..l.mA......!.....i....[...\.k$...P..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):73264
                                                                                                  Entropy (8bit):5.489318667023477
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:ynBM3uykm7XvXiJQd9Sy25JoUtfyt7HxLn:I2aatF
                                                                                                  MD5:511A4FB73993DFA87C69BA28F15F37A8
                                                                                                  SHA1:E8E61268B14BB23A7C30A09D8ECF33FD179AA85D
                                                                                                  SHA-256:900FEED3CDEA2E2EBA67DF33D4009AA8C757FC1E2B72A4EEDCE17DDAF5036A3D
                                                                                                  SHA-512:21406BC6BEBA530B2D9ACB882BA2480009B7688BB795AF34DF0C1672A7D4A4E3BEFCCE7358CB1193C46C6745B7406BE75634A874B8FE22D65C7DF4CFA6B2BE90
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.........."...0.................. ... ....@.. .......................`......t.....`.....................................O.... ..P...............0(...@....................................................... ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H........C...............................................................0..........(....9....(....~6...%-.&~5.....{...s....%.6...(...+~7...%-.&~5.....|...s....%.7...(...+~8...%-.&~5.....}...s....%.8...(...+~9...%-.&~5.....~...s....%.9...(...+*.*..(....*...0..-.......(.....3..*r...pr...p(....,.(......(....+..._*....0..(........(......~....(....,..*..(....~....(....*.0..r....... ....(......i./.*...............&.........6...%.. ..o.......r9..p( ...,.*......s!.....s!............

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):541
                                                                                                  Entropy (8bit):5.097123194334321
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:MMHdGp2VvOF9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsIOvPF7NhOXrRH2/d9y
                                                                                                  MD5:D0EFB0A6D260DBE5D8C91D94B77D7ACD
                                                                                                  SHA1:E33A8C642D2A4B3AF77E0C79671EAB5200A45613
                                                                                                  SHA-256:7D38534766A52326A04972A47CACA9C05E95169725D59AB4A995F8A498678102
                                                                                                  SHA-512:A3F1CFF570201B8944780CF475B58969332C6AF9BEA0A6231E59443B05FC96DF06A005FF05F78954DBE2FEC42DA207F6D26025AA558D0A30A36F0DF23A44A35C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.ini

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12
                                                                                                  Entropy (8bit):3.418295834054489
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:WhXXLVn:WBXh
                                                                                                  MD5:1E7F47BC15B23C7ECF9E885EF67038F7
                                                                                                  SHA1:5C79A779F9705F1549BC5431630A3517360430A8
                                                                                                  SHA-256:FA5EF118370C40B28CF76BAC7B1509B28F3FE172449EE110AE69A88B9C675C9D
                                                                                                  SHA-512:D68AEF4AB7C86455E1C0E0E1497D4063B5167CCCA942E07865B280FE17BC96E04E9051C1054037A557DE597E21E2D2581ACB35541D863F0EDFF533C930D2CE07
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:version=22.0

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):96816
                                                                                                  Entropy (8bit):6.180538625810366
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:0Jt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7Hxww:0QUm2H5KTfOLgxFJjE50vksVUfPvCh
                                                                                                  MD5:1A926EC7D64FC14448CEC5B8BFD0561F
                                                                                                  SHA1:99EAF78777F75510B5DE16398D85F0DD76A9374B
                                                                                                  SHA-256:6276E85A4BB54EEC3C1F1A75FE4CA41B298AE667524443D87F7505B802230D90
                                                                                                  SHA-512:7C0B44BAE38DF8B154FBA465C336E85DFCD95512C23A398CCD98029CAE82369428B6E5EF06C2F4F3227F89116213711F2F8181BE0C960D3C6F9BE1EAD562DAB0
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................z)....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):710192
                                                                                                  Entropy (8bit):5.960803889464813
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:SBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUp:SBjk38WuBcAbwoA/BkjSHXP36RMGA
                                                                                                  MD5:8FA7CBA2D1635CB0DDF31CAB53DC573B
                                                                                                  SHA1:F3C6A1F4D27633EF7361B03274D3E81030FF423B
                                                                                                  SHA-256:1F164C21767B7943791CBFE82F9456292CD75491B290DB8324AD1483B02CB773
                                                                                                  SHA-512:697A7EE46C8555AF06C12054A36811BE0369CBEAE9FA3E23D324801C47E483F81E161D20AF7805B67561E8ED6427A1CE53EDA1AD3827AD604CECB7EF8D9A6730
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\lh.txt

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                  File Type:JSON data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):86
                                                                                                  Entropy (8bit):5.107845243245655
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:YhKSLJf2B4VXPFXVcvVR3JtFHnFSmu12SYqY:Y5fVPSdHF412GY
                                                                                                  MD5:316140F617131B0C56E75410546A1A78
                                                                                                  SHA1:E5D3B3ECD9B625653C4C67488433E5AEDDA0FBE9
                                                                                                  SHA-256:D3F808465B8A8C9B556BECCB293CA97B5DB96F3D4420DFCC7444CED1751EA48C
                                                                                                  SHA-512:B00B67C4F6EB982C844BB034229FA64B5B351E2E4BFD59904B8B6A79D4E4B0E0988A25D65C7D68D90AA9471AF655A1EECF327993523CEFA43F8F4829BB81BEBF
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:{"DownloadedAt":"2024-08-17T20:49:09.9970335-04:00","Hash":"fEkCdzoZBX2gCqMMPS7yZw=="}

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\log.txt

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):88
                                                                                                  Entropy (8bit):4.979738443539971
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:iFB3Qy4EE6LGKWqKRLXsmfWoVUgXAQJ:iFb4tlKWqKRLX/qK
                                                                                                  MD5:296BAD4BF543DD92B976006D597DBA77
                                                                                                  SHA1:B68E79064C66DB97BE38BDCD5BF385C9E554EEA1
                                                                                                  SHA-256:171B5B601CF799EE77932A7584AC1260DDBED872D688381DD7C8CFE1C56C5C85
                                                                                                  SHA-512:2AD489C4CFD89D5AB5DD1AD9FCDDF5C88E4ADDE2B236990D3F51D8F0ECD8418131EE5B62BC7A0B81CB3468370FCB5EBB7125C4F3D4794E3649760FFCABB4B672
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:..15/08/2024 18:35:04 Downloading installation to: C:\Windows\TEMP\SplashtopStreamer.exe

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools.zip

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                  Category:dropped
                                                                                                  Size (bytes):637958
                                                                                                  Entropy (8bit):7.999354686674398
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:12288:HVd5b8dhfpvZ3U9ygocoFAdF4r0el92pBW/wFIlzxDFBLXJ:HFbyhfVsySoKdF6D2pswmlpXd
                                                                                                  MD5:767D5DD4AD2D6A3E0FF3E45DB47A9657
                                                                                                  SHA1:982A2AF2C94AE33CFB240A30A1C6433E5E5689DF
                                                                                                  SHA-256:156218F309CAF003096CB28C2FFCD74A0989E4FD0207E485A3292A4D8D1C48ED
                                                                                                  SHA-512:E8104B3622BF07059131F3F0A8DC9EA44C7B0E32213F534AEAE229F000B01425B72955197DC776F1B5750FAE2BEAAE888A2EA1D62B1630D3FC5D79B4C57317D2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:PK..-......5.X..j.........3...AgentPackageSystemTools/AgentPackageSystemTools.exe....0........j.........)+{rh....k_....z.OZ..@bN...#....<...-...H\.\...>.w. .%.3@..x.......L].HQ..<b.. u k..<..;Q.Cc..~...D...f.."Ma.....1&6...Q...&.o.X...r..1.E.I.:.N.g>_.d1.v....a.Q%..vr.d.q.&....w.6.|......h.'o.f.9GV.g .ac.u.Y.o.......sw......*/`.._h....v...0....C.z.."vU@..m.....i...,....-.x....N.,.36`.#k/h......=.`...H...]....&.....6F....wNH.......W,.[?.<;n..J.i....xX...~(..kqV:Z.k.U.$U...h.v..".....Vx....F.[z.....j.._8.M^).E0.D.........B .\0H..v..p.-9..'...Y...=.[....ja{`..*&......9:....C.....sz+|..JQ.../....D?./y..`)T.%.......<nc..w#.......7t.#...A...>t....@..!A45Y2....Y.......38..c..sR......E...7....\.....I..M.....V..IXG=.a..}..H...r..eF......>.{.FFM.A.bm.!b......-.....Wk..z..P..An...D.M]RN...I.).h....].AU\.6d..u.;-..7....g.*....M..[.?..%....d..wZm0#...=......d".Eu......5.>.....$..b..n..V{...a..$..l..|....~:.s....H."....K.lK.y.|..ga.0f.C.."AQCu_.......?N....K..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):51248
                                                                                                  Entropy (8bit):6.297269575035048
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:MNb66jeKAdzF2a11sxKN/NEQDg8vM2j7HxqW:MQ6jeKAd5b1S2/NPBU2jR
                                                                                                  MD5:26E9CCE4BD85A1FCACBF03A8C3F3DDCA
                                                                                                  SHA1:3F78C454CC72D4C5B2A0F295530391904EC87948
                                                                                                  SHA-256:50F399A3867DEAB18530F8F3E72D489A15F62D6E250F4F795C7BB735F9522899
                                                                                                  SHA-512:D57C6A799C01A3F67AFB3DDEDDDBD49ECFC17C2347BEC24ED85207A846547F6288D2023961EDCAB67DFC512E0B1DA187C475A7D01BB1005A61D337EC4FEA0FE0
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..f.........."...0.............~.... ........@.. ....................................`.................................,...O.......`...............0(........................................................... ............... ..H............text........ ...................... ..`.rsrc...`...........................@..@.reloc..............................@..B................`.......H.......pB...p...........................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o......s....%.o........o......s...........s....%......io....%o......o........o ...o .....(!...*..0..........r...p... .....r...p.(.....o......(.....o.......("..........s......[o......s....%.o........o#.......s$..........s.......i.J.....%......io%.......o ...o ...(.........o&...*..('...*...0..].........~(....~(....~(........

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):973
                                                                                                  Entropy (8bit):5.01886272205883
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:JdsVPF7NhOXrRH2/dV0PH2/+w3VUrPH2/+789y:3s77O7Rgdsg+w3Sg+78w
                                                                                                  MD5:3CCA9B00717A374829CA50C82C1E70CF
                                                                                                  SHA1:357729D1CBFA36318D8A91BDC8C039E254A7CAA2
                                                                                                  SHA-256:4161C6070CDBCB94718A6E76931AE38CABEBB70E5B00C55E799E72E61F0ECAEC
                                                                                                  SHA-512:C172CF13115FC724799C50218F00A1055FA84DEC6B9FA28F7C981DE94D4DE64CDC7797E903D4E8B87CA2FAC535B62EB395E372656183C75F42E7086598C3C435
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />.....</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.ini

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12
                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:WhXTLd:WBTp
                                                                                                  MD5:B1DE0EF19266A86B8F7A2BCD03ECD23B
                                                                                                  SHA1:AB91C344BFECEF0CDB73119D4C5C72BAA8CD21E7
                                                                                                  SHA-256:50578EB887B529FB77AFAA4F3A888ECA57E2D640F4789BBEE470F1EFF04DEB7F
                                                                                                  SHA-512:656C69FF2C62F2704AC409AA3B04CB78B9767FE908BD0BE4C6977A469B68D7C5F83B786EE915BECF5244E70892A48A92B9D0CA9A767EA329B63A6EAD98F9F274
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:version=26.8

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):102448
                                                                                                  Entropy (8bit):6.190977882973481
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:VPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OL87Hxo:V2bYbYSWd85I5sSakFQhHL8i
                                                                                                  MD5:6C0E7E9151E242E401EEBBC13558E3F5
                                                                                                  SHA1:9A5963712AD9E0F336A4749E7C258A67EF6260FA
                                                                                                  SHA-256:77D6B8CB94B6CF5B399704C3CD5877211D99FCCA58F94D120998FC41185D0E0F
                                                                                                  SHA-512:02E5E5FA52BDA5CFF5181196C6A62913FA87D6675CBA27FBFF3D0C50F305BA4CF8D9D8C4016EDC90AB1513BA39D89B50566BFF4D05585583EF03B8AA17BEA793
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ....................................`.................................`}..O.......8............h..0(..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16432
                                                                                                  Entropy (8bit):6.857474166817892
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:w9c52LPirPW94/DNyb8E9VF6IYinAM+oCOX3lq:w9cym2KEpYinAMxCg3c
                                                                                                  MD5:E1AA9E74F8E36783187BA548C26A1D95
                                                                                                  SHA1:52FD9D58877986DCDDBDC5C1DAC6825C5720A4F1
                                                                                                  SHA-256:CE46D831129B265740E521A614DE1F2BEE211F350FFC9643407C75308E1DBE06
                                                                                                  SHA-512:B2D79FD01D4D0BC3CCFFCD62ADD4BC45BB25561892CD23299163EDA10896249F53FD966015B7655C209B33EE413C10565D51861298061E3886B43E77E59ABDB2
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..f.........."...0..............-... ...@....@.. ....................................`..................................,..O....@..................0(...`.......+............................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........!..$............................................................0../.......................(....}......(....&(.....{....Y*..0..D.......................(....}......(....-.(.......(....s....z(.....{....Yn*..(....*.0..t.......r...pr...p...s......o.... ....(.....s......o....&s......(....vl(....o......o.....!..(....&..(....o....&.o......&...*......S..o........7..R.!....BSJB............v4.0.30319......l...T...#~..........#Strings....\...4...#US.........#GUID...........#Blo

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):542
                                                                                                  Entropy (8bit):5.041389931890446
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:MMHdGGsVZrdSJ9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdArdEtPF7NhOXrRH2/d9y
                                                                                                  MD5:547C772B1DEA0A1E8030F6ED5BE2AF75
                                                                                                  SHA1:6F4A95B2EA3342D7B4D61C715C7FC076EB6A2DC0
                                                                                                  SHA-256:C35A8B8AF7ECCB9BA68B129FF7F46EB1279229D637049F40761A697E9DFCD5A4
                                                                                                  SHA-512:0F77B35AC34C8E4655F7F1F4EBF1A86AA11F96C689E632DA8BE8A17CC69A9292878E0058DD9EA5FF7315DCDD8B34489F06E6DCBB365569E3BB80E81373792FC0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):398896
                                                                                                  Entropy (8bit):6.134467211026903
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:WjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/ZmvH:W+e55LgIkTmyAAfTnMLvH
                                                                                                  MD5:6C03B5CEC0E3BFF6410B020CAC7EC662
                                                                                                  SHA1:DE5C6B33A97BBF0B3063CF44DACE307FEB968BF6
                                                                                                  SHA-256:05C2739F2AFA9A05514CD75C12BE6C0CD73A8356A28B3FAF84140FEEE416F339
                                                                                                  SHA-512:06900ACBA446F813E8181E42A0713B5BBD568068960DD0620C4EDF0F3C096E4C8B409181AC8FC51A24F638E37F908B6212E22DB3799107B51578B6853A8E60C0
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`......u.....`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):710192
                                                                                                  Entropy (8bit):5.960755198774021
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:eBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUj:eBjk38WuBcAbwoA/BkjSHXP36RMGi
                                                                                                  MD5:FA365D16F9EB02769CE0ACF75C31C832
                                                                                                  SHA1:F83D3F502E92DAD01574D16FDE5E7CA81C53A5DB
                                                                                                  SHA-256:63A690F6523922CB55B065764ABA61BE69F11AA93C8437C01485BCC4AC182F46
                                                                                                  SHA-512:E26E077C0C5806B3D4E1ABBB06087D08921CF6A46FA700343AA373213180BF9EABD7822CE418E24973909A515BA5B73DD0902402020E5A4AC56D387E378C4AD8
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......n.....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):18480
                                                                                                  Entropy (8bit):6.708180254980656
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:1qPstMu7M72kNyb8E9VF6IYinAM+oCiSFDKJup:1vMuo7/EpYinAMxCbeup
                                                                                                  MD5:C9A5D57AF074418532A591B4443AD16F
                                                                                                  SHA1:4F99922845AF05C64B36BC71FD34468683B389D6
                                                                                                  SHA-256:322D41E1890A28359ED05AC7C3973C2CA3532CB77F8D0646B982A76FE0A68EE0
                                                                                                  SHA-512:461CCFF9F349E6F8BE27F50C54464CA65AEC23DF6C4DEFB5A4AB085F8239899CE88B2C0B2764020807826C92BB2F757DCF39733721595E80C2AAA5A75718D9B7
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..f.........."...0..............4... ...@....@.. ..............................8/....`.................................d4..O....@............... ..0(...`......,3............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H.......(#..............................................................6.(.....(....*...0..........s....%r...po......o......&..*....................0..%.......r!..p.s.......o.......,..o.......&..*.......................!!.......0..........r_..p(......i...r...p(....*....r...p....s.....r_..p(.....o.... ....(.....s........(....-.........o.....o.....o....(.......l&..-.s....%.o....%r...po.......L....(....o....&..&...o....,%.o....( ...-..o....(!...,..o....(".....,..o.....*....4..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):500
                                                                                                  Entropy (8bit):5.044946190927216
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:MMHdGp2VOD9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsHPF7NhOXrRH2/d9y
                                                                                                  MD5:5EF8C402347FEC5555700DB9D649C349
                                                                                                  SHA1:2E70D02943060011AF38D9200B3461206F56933D
                                                                                                  SHA-256:718459DA91EB82BD0ED8AD24CC3EABFCA61D1B5C1D9060111F85CC7D84BADCCA
                                                                                                  SHA-512:F2650D2C604459E674810BDA95C37D3FE7747CF67B5736C4275DA91576B36F3FF882FD3F8A5F0591CDF335E935DB716BE827821333297F719C26B1152BCB4D6F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>.. <supportedRuntime version="v4.0" />.....</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22064
                                                                                                  Entropy (8bit):6.676917265704932
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ty/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqpodH3T:tuhMaVmzDC67EpYinAMxCWH3T
                                                                                                  MD5:F2016790A63364276B5DE090FF0D9516
                                                                                                  SHA1:C99BDCCD05A8813E6DEECCDFA0FD675FDC57A488
                                                                                                  SHA-256:662DC69A05611BEA25F993F4D249C83340C2F468E9564CA625027A1EA9C84E9A
                                                                                                  SHA-512:41CBB8D586AEACC6E9C156561A4C92EF30C3D50B8D4A91C2A0A41E186891C61776E102AC5DEB95A854C2241734A854320B49A0E0A05F20ECBCDB8A0F7E55980E
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ...............................\....@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):64048
                                                                                                  Entropy (8bit):6.268502105017609
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:BYDFPV3uv9niVSmzPFX8lpJ6TJPe4TW9Lvu2perEuaRtIvqUl1JEpYinAMxC7z1:BKC9niwOepJ6TJPeb6NIUy7HxUz1
                                                                                                  MD5:9B1EA8A460CDBE957FD464E52CB74F9C
                                                                                                  SHA1:34574DE2F45BDA8A68F49C031A80476D6E6B711F
                                                                                                  SHA-256:41046ADC0E23A6A673C6DDD890C4B43F21A615D470886D59FC436B09B994E7A8
                                                                                                  SHA-512:A99E6C7829C4B6994E8AFDB4538DD8954DCFF96F2C59D62FFC91DA2E833F777F870A2F55A60CADBBED97ABA0F6411D6D40DE33D295491B2AEB45CDC51D485003
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[............" ..0.................. ........... .......................@......*.....`.................................k...O....... ...............0(... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........[..h...........(.......0.........................................{#...*:.($.....}#...*..0..#........u......,.(%....{#....{#...o&...*.*v ..yN )UU.Z(%....{#...o'...X*....0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*:.($.....}*...*.0..#........u......,.(%....{*....{*...o&...*.*v ..:. )UU.Z(%....{*...o'...X*....0..M........r-..p......%..{*....................-.q.............-.&.+.......o(....()...*..{+...*..{,...*V.($...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):138288
                                                                                                  Entropy (8bit):6.17978189203311
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:2P3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IlU:2h0qjC5RMOHO420kN1P
                                                                                                  MD5:8D61BFC6E305850F082B2A4FAED267B8
                                                                                                  SHA1:543224920E68C0C7B28C9411ECE8B9F8EAFA7DE3
                                                                                                  SHA-256:B7EF8E721E39ACE9C8C4B4C4490AE5042634637D24DB4A70AF33D29DC4EC5C10
                                                                                                  SHA-512:6AA0C22B6CBD1942AD74386919D8E4F0F69FF47FC97103BDAD3FE029E9137C51DAC70CDB84275AE779965E461BC992DE96028B92A3DB8F0D26B8B53A547CA09E
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......t.....@.................................3...O.... ..0...............0(...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17968
                                                                                                  Entropy (8bit):6.63676850357766
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:7TO9dQWXYW8aVNyb8E9VF6IYinAM+oCJF08IoP:7Cn6CEpYinAMxCk8jP
                                                                                                  MD5:F6E07CB084C3B287E2D2525A597A4D0C
                                                                                                  SHA1:E9191698963EA0613747BC24842DF8C37E6FBE84
                                                                                                  SHA-256:D24366C19E9DFE77B7EA94546F336F20CF8F574F838F68EBB2179C6CBFE4F25A
                                                                                                  SHA-512:5AC38F55D0045BFDB9951154E87ED30E98B200C148897E7BD3C19BEFDA634437A1EC5AA2088CE99F0E17644069EEA93E97AE1DA00DB5746C4784228FE35E1725
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^...........!.................1... ...@....@.. ....................................@..................................1..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................1......H........#......................P ......................................O..q.<.P$[p.;a<...Ci......K..!..&.d...FaLJ.....f..........w.E.E........(y...,.Lr..R..........T.z....5..;.. ....&V.=}.... .0.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0................*..0...............*...0...............*...0..........

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing.zip

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3206639
                                                                                                  Entropy (8bit):7.999884245147606
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:49152:Oow5J5gnvVKNRoUjRWoRoIF38GcLJd9dA2SZa44yHjC+JDSmmYXJmzIWiLQ0q1Q9:OoY5MvVKNwoFRWd9dAGeZmY0xCUmAAf
                                                                                                  MD5:5FAC57935A802E5924B6CCED75F79013
                                                                                                  SHA1:776CA3CBFB2017227FE14FC1075496531E4634E0
                                                                                                  SHA-256:576E253D8713A908ECCD504A3185499F49EFFE54FA65C73FF9A8FE6D013084DC
                                                                                                  SHA-512:223522098CC4A7EF518D7673C598F659352E0F1CA20ED6909405B11A032B97497152E16E659B0D351196B1073B35BC87F6445A4283C377B2EAF9ABD7FF4AC23E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:PK..-......C.XC.........../...AgentPackageTicketing/AgentPackageTicketing.exe....0........H.......H).X.WLt.cP..Z...qD.....6s.>...5:.......Z4aWa..{V&..z..f..>0YP3...\..x**.`b7...0.h.h.k..T.-H.p...J'LW.B.c...S.v+.....gL.."..Z..m!.&arS...8.....|.r...[5.&......R#...m.R...2Gtq.r..Q..j.@O$~|>...x4.2.;8r*V..O...X8.[0XN..N.0D...y.6.-./.~.....;&a.........?r^.+2)..R9...7.;s...mP...R...m...4.....I.ei.S.$MD..N,z.Y0...fn..0.<o.o./<..L....~H=..>Q...6.......M&.I.....n....Gb...0.48.......g.V.......3.....D....+.al..}.a}...!.j`=e#l.....4.^..g..{..j~..T..yRt.d...z.|; ..'kGb..5.u..{X...>7=.w..D:...:..K......U.&L..m .K..>2...k...Z....6.7..D.....]}.w.).@.... . ..M.M...Em.A.>\....Ejx..9.o......c.VSLfo.....Q.x..i...U.{.....]V..zO.h..A.s..' ..x..'.F........b....6R"Om.!/..Ns....(..rX;.Yh..'..Hs.)..V.....9&.5..Y].].. G..o.......w...e."..N.....)-5...5~...U(s.E...!.K......I,FS......I.3....6....1...m.c9T(L...U^Q..O.u...3.8dS.....oM.......+-.^..'.Eta1..Y................F.....M..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):33328
                                                                                                  Entropy (8bit):6.284299649172216
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:77MUZhpWikfoGh5yd1pjJpO6LRjBMlY/KJNyb8E9VF6IYinAM+oCnsjMTVVV:MUZzF++V1NByY/KNEpYinAMxCsAN
                                                                                                  MD5:B0E08EBA67B6AAB9E4CD11E3CC0D9988
                                                                                                  SHA1:064C7714872283E6FEF3484AD0FE8992C7C768BA
                                                                                                  SHA-256:B5B04685C709CF9E36564901410E03BE50721C3A5EAAF23A6EBAA0769D053B03
                                                                                                  SHA-512:839851904A2BE4F744518F62D1382DFA6CF48F728FB72BF0B115CFF907FB015FF6DE38FAA17EDD40BB94AA2E05F8DDA2060F7884FB46FAF367521D6DA4A88C67
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R.f.........."...0..N..........Jl... ........@.. ....................................`..................................k..O.......4............Z..0(...........j............................................... ............... ..H............text...PL... ...N.................. ..`.rsrc...4............P..............@..@.reloc...............X..............@..B................,l......H.......@4...6...........................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o......s....%.o........o......s...........s....%......io....%o......o........o....o......(....*..0..........r...p... .....r...p.(.....o......(.....o.......(...........s......[o......s....%.o........o .......s!..........s.......i.......%......io".......o....o....(.........o#...*..($...*...0..t.......(.....(%...(....,.*(....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1062
                                                                                                  Entropy (8bit):5.04288182607063
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/F9y:3sIk7O7RgdjdgFSagFw
                                                                                                  MD5:D82D26318224097C2B13F43E879DA855
                                                                                                  SHA1:4626369E38B4505371D1376FB9A50B401B21A7E3
                                                                                                  SHA-256:1BE14A97E8F1FFC962C060B76FFAC47298D02680F235097CABF378EDB3EA34D6
                                                                                                  SHA-512:5E3B09D12E5FEFB6B82DB7E19A3D856D02C683B211F18CEBABC0A6FBEA9B3E84BCFAF414C7DF043F986F78A85DB8A22D4584DCAEBE59CDC0A527D7636B31886A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.ini

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12
                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:WhXSon:WBRn
                                                                                                  MD5:4D85725A2F8806375A69DACAADE654D3
                                                                                                  SHA1:C7E456274F787B545243539F2F983B54F4975BE2
                                                                                                  SHA-256:53C3D04D99D2AC65B205237B62D61B6EDA2B19F32FAE5FCF794B0995E829336C
                                                                                                  SHA-512:18FC9D2FBBC646F364D75911B84D66586105728FA0C2EF9E79F47A0CAB09952286C355451AFE1375DB6AB7E4814B6CAE2D844E73F7F58DFE7E24EBFE5222C3EC
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:version=27.9

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):99376
                                                                                                  Entropy (8bit):6.189270306890288
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:1lAttsLnppOphwrfNIkZP0kLv+ghDBzmItlVYlkL5ihaO40QhflQCxhB7Hxc:1oESpOPptPkW5ihaOdQhfhBW
                                                                                                  MD5:E78076BFC4132527A53D595D5FDF393F
                                                                                                  SHA1:D6D18E2CB66964A91BDEE573E7B1B51819D6482C
                                                                                                  SHA-256:3DBCDA618E10188A870BDD6BC40DF0C77343E9F08C3C37294502D1928DD859BD
                                                                                                  SHA-512:A5CC318893A7A39562DD582DE78991A59BE1EB095B55B4C9B501828F80CC59452E278431D89D8664414493E9E2488002CC5FD48A35E278345FD1243DD7E4CA72
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}KMe.........." ..0..R...........q... ........... ..............................O|....`.................................<q..O.......D............\..0(...........p............................................... ............... ..H............text....Q... ...R.................. ..`.rsrc...D............T..............@..@.reloc...............Z..............@..B................pq......H........o...............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):145456
                                                                                                  Entropy (8bit):6.2039015654237115
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:QRdbKQx0YYK8gwbUEA5xZs0vVV2yzlhXhYThkyFqhtuElLVwkVJe5K+Q7P6IlIhf:E9XeDmzV2yzlhKLFU1lLVp1+2flYFsyt
                                                                                                  MD5:BB6CAD96D2B79192E0457E397B487228
                                                                                                  SHA1:CC3EE8403BD2E2E030D58F4CF0544A2896EEDB82
                                                                                                  SHA-256:E9901A92E73DB1EECF599755C757ABF8F8C986F267248E5EE810A4516CF29460
                                                                                                  SHA-512:5FEDA73B225DD6D4500E2917817B16C397F09F83AE4591DBA16228F3A6F417CDB3479AFC0D08C27FD4D02AE6A0C96D75B694E685ADF026E97751CD5BD44170A7
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nI..........." ..0.............v$... ...@....... ....................................`.................................#$..O....@..|...............0(...`......,#..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................W$......H.............................."......................................V!.b.....s&........*..{....*"..}....*..0..Z........(....o'...-.r...ps(...zs......(....o)....+..o*.....o.....o0...o+....o....-....,..o......*........*.$N......J.s,...}.....(-...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*6.|.....(D...*..{....*"..}....*..{....*"..}....*V.(....-.r...p*.(....*..(E...%.(....o"...%.(....o$...%.(....o ...%.o....*..(-...*..{....*"..}....*..{ ...*"..} ...*..{!...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):29232
                                                                                                  Entropy (8bit):6.674133418263454
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:9mYaXzmSJL6guJrdvc5tIZmQCaBj4QU3hOTVTDvAGvoOCcdcOFyF61Nyb8E9VF6s:fSJh5tIYQzT5zyF6REpYinAMxCNA
                                                                                                  MD5:136148BC7073584591B2F0D9167FE087
                                                                                                  SHA1:699C1F47D17121F1E469C6916EEF39CDF741B147
                                                                                                  SHA-256:214B7B634A04D5FB9BF3E4E7E4EFE34732C5E108E4AABC59EF54D5BCD1A16ED5
                                                                                                  SHA-512:24539D34986E3957984ECCF3FEE79591BCBD0C11A95117B95E265FFD1C87D420578C885591D1B9B91D749DF155B8B20226DBD82A7106C9A70E199C203C1E8495
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p;_f.........." ..0..B..........Na... ........... ...............................|....@..................................`..S....................J..0(........................................................... ............... ..H............text...TA... ...B.................. ..`.rsrc................D..............@..@.reloc...............H..............@..B................0a......H....... 3...-.........../.......2.........................................}.....(......}.......(..... ....(..... ....(.....(....o....*"..(....*..(....*...(.....{....,..+..+.-..{.....o....o....*...0..?.........+..o....,..+..+.-..o....o....,..+..+.-..*.o......,..+..+.-..*..0..J.........(.....(....,..+..+.-2.{.....3#.{....,..+..+.-....s....}.....(.....(....*j....$...s..........(....&*z.{....,..+..+.-..(......(....*..{....*.0...........{.....;.....(....,..+..+.-...}....*.{....,.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):219184
                                                                                                  Entropy (8bit):6.063177879478984
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:sYq80gPJle2CpcKyudA1+PVtMG8e7sw9CcHvhl0:sYqqbe2CSod5dtM8ww7Po
                                                                                                  MD5:C4D5C80C67148458DAAD0245E4712543
                                                                                                  SHA1:E43FC3490BF719C71381C0D0D4BBEDB227565191
                                                                                                  SHA-256:65E55AFDECA9A641637FF7F3FD263E0F92522DFD512D449AF3862951386DC989
                                                                                                  SHA-512:7EA7085F76A6D8E960A7B07053568F8A006CF3F032BF88FF565C5D96B5A6CD30BD37307F26C932C4A75E80565DFAFEFFE2C1B44EC22163F1511BBC1A3FB9BE84
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j;_f.........." ..0..(...........F... ........... ..............................?0....@.................................dF..W....`...............0..0(........................................................... ............... ..H............text....&... ...(.................. ..`.rsrc........`.......*..............@..@.reloc..............................@..B.................F......H........S.......................S.......................................r...p(................s.........*...0...........o.....=3A.o......o......,..+..+.-.....o......(F.....,..+..+.:B......oK...*.o.... 7...@........o.......o.....o.....o........(F.......,..+..+.:t.....{f...,..+..+.-......-\.o........([.......~....(....,..+..+.-5.o........oF........ob.......,..+..+.-.....}f.....&......o.......o....*.o.....\3%.o.......o.......t......(......o....*.o.....]33.o.........1&.o........

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):319536
                                                                                                  Entropy (8bit):7.0489882734368905
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:ocvArKVm5mx115y505H0jIfJMSFk9X0jIfJMSFk9c:GrzwJMykwwJMykc
                                                                                                  MD5:C591BC266A18C7E0896BC67070E82A14
                                                                                                  SHA1:12749511C4CCDBB4075882D27CA458E3F6CC1DEC
                                                                                                  SHA-256:DDC0B2B904EB6E280A7B6E211D4A514FAF302C22E2F138A551C8F82B43CC231D
                                                                                                  SHA-512:D39F69E72AB37AD355298B03472C0EA6577F72BC97C421AF92A2569FA9EE77E557B8255DAD6B81334CF7586D793983CA443599B77A57CA46A01DC8E4A6059EDE
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....-..........." ..0.................. ........... ....................... ............`.....................................O.......................0(..........$...8............................................ ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Tc..................P...........................................V.(......}......}....*..,..{.(..........,..p .@..(................s....(....*.~.......~....(....~.......~....(....*..0..........~.....(.....{.....{...+..(......{.....{3.~.....3..{.....p3.sA...s....%.o ...%.o!...(8...*.{.....{3"r...p.{.....{.....r...p.("...(#...*...0..$.......s$....o%...(&...o'...((......&.....*.................0..6.......r...p.().....-.r...p..w...(*.....w.....(+......&...*.*..........//..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):432
                                                                                                  Entropy (8bit):5.0141792226861375
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:MMHdGzNFF7ap+5v5OXrRf/2//FicYo4xT:JduPF7NhOXrRH2/d9y
                                                                                                  MD5:8F6EB9E75E6A6F0C0D58FB697C10CEDF
                                                                                                  SHA1:6944935DFDC33E0C6DB26869BF25EDA85A2622D8
                                                                                                  SHA-256:E2B8677434501735FB0233ED0CC2FFEE5BF6FB4387C51DBCB2585A70E42E4F08
                                                                                                  SHA-512:A946252B2E3705EAE751A2672D4ADE1499ECEB28C48B4BE6150C4201EE20A7B9A4450C75E06B07F5DAA3528041A566931D988FBD0C2EA90240D61008895BA44A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):215088
                                                                                                  Entropy (8bit):6.030712364489919
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:Ed1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s3:EMIzm6pOIgvr7q
                                                                                                  MD5:B6C261279E35A4EC920473DE03D60412
                                                                                                  SHA1:850C9325D7D10E4700B643E31F260B42B8626111
                                                                                                  SHA-256:3BA8D4A359693715E5187BE3057FE193FD9046AB75134FC56C16C1FD6D990D29
                                                                                                  SHA-512:1D2F6FB581790FE6E1925DB749ECBE556C2243093D81899248C78A13C4D3947D59E35508486B51E1B2474690C44A65A33B8AA247CE5536891E5C0FAC2DB64BC0
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ...............................N....`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):398896
                                                                                                  Entropy (8bit):6.134294394466507
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:LjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/Zmvi:L+e55LgIkTmyAAfTnMLvi
                                                                                                  MD5:47D5816099AD49878CE2B655D1B9C9DF
                                                                                                  SHA1:659748A485051BC52E9D5D1D4CF99411DAB7D2CB
                                                                                                  SHA-256:ACD76EFF9F9B88957AE2D18FCC5B3B73F0DF89E91E7ACFD5897F996598C2E0DA
                                                                                                  SHA-512:3C7DD943400F859E9962DCB30352DCFCB4542C895E1C2BEB0D6A79921D737981C28A55A6DCC98D524AC2175B55D24E79A2A5B68DBB8A859EEC05D083506241CF
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`............`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):710192
                                                                                                  Entropy (8bit):5.960859492666102
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:dBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUm:dBjk38WuBcAbwoA/BkjSHXP36RMGr
                                                                                                  MD5:8050D3052D86AD11EB7D413E54B4FB83
                                                                                                  SHA1:265B4C2B109139CC1C957F211454855808B8657A
                                                                                                  SHA-256:0EA156202E551D5E0A346ACC75087930943696ACF9094379A024E795BC5C008C
                                                                                                  SHA-512:D332937D85A860C97F59D1B32BD3940AEDB9508F0FF9637F1D66A01CFAA77852F69A9D1A734AD9CFAE57C8CC744AD7C8EBCAF0D4778142512FEE9B0E8969466B
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):154672
                                                                                                  Entropy (8bit):5.991185919362003
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:A4wM6OoRu7qywKsqxhDuPr5xJMnOfMAw3TkHjt0QQNOWIkHUsz72otckj:A4wZywKn/U5xEwKIk0Wn
                                                                                                  MD5:52348921ABEBF830E700999998A6F206
                                                                                                  SHA1:E92BF0C94E16748BE14A890FA2D275A80BA0E263
                                                                                                  SHA-256:866268E0378E7DF84E3A333F7A9BA1E11C2A419A84F17626F421414DF07B13DC
                                                                                                  SHA-512:79D45D4A452D7E890F15AD8910B2BF893A95B6005B09E004AF0C31494641E9629D891A2EF8D635C0CEA0F1ED93DF57A1FB5659D4879A1C530E3E791552F93F11
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}.b..........." ..0..*..........6&... ...`....... ..............................x.....@..................................%..O....`...............4..0(...........%..T............................................ ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................&......H............D...................$........................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. R..0 )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....(!...*..{....*"..}....*..(....*:.(......(....*"..(....*f.(....%-.&+.(b.....(....*..(....*"..(....*...0..%.........("...(#...($....#.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22064
                                                                                                  Entropy (8bit):6.672110215065152
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:KrMdp9yXOfPfAxR5zwWvYW8avNyb8E9VF6IYinAM+oCAE+:KrMcXP6gEpYinAMxCK
                                                                                                  MD5:0442CA8E942D8B766DAAEAC8014A02E7
                                                                                                  SHA1:6D08C35DADB0C438D2E5833BA6EAA177A4FE298B
                                                                                                  SHA-256:48F63E17D05DAAFED8458995FDD7A8581D6587A1D8D93FA04D0D39FC93174563
                                                                                                  SHA-512:B277D59ADEE4BF0A7DAFF9021DD6D66DF790969BAF3DDB40CC12073082011E79C9D0821B75E8397FDC083C0F6F28B7C556053A48D366782BA3CDC921C8681F4B
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ....................................@..................................B..O....`..@...............0(...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):420400
                                                                                                  Entropy (8bit):6.109588205722666
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:95douWvsWkOfjL/MEd6/7vfA8SCW1nFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFi:9pjblhW1C
                                                                                                  MD5:5B6872A7699B7EFBF581FFE8A3C62DC0
                                                                                                  SHA1:62098EA3AD8D78AB774112F730DA4CD99B0E995D
                                                                                                  SHA-256:D21C26667F92B7E336CEA05B433EA7B36E38AD25C00ED70F0FF7D2F5A3BC094D
                                                                                                  SHA-512:FB1D71D35A2A0218E850BCF77636F3CB646248E056D18F643D59CADF54E20C44BD3296A520DC56F463E4A7F08F29061CFCE229EFBCE253A26C5537AB567D84A4
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....d.........." ..0..8...........T... ...`....... ....................................`..................................T..O....`..p............B..0(..........XS............................................... ............... ..H............text... 6... ...8.................. ..`.rsrc...p....`.......:..............@..@.reloc...............@..............@..B.................T......H........X..\V.................R......................................:.(;.....}....*..{....*:.(;.....}....*..{....*...0...........~<...}.....r...p}........(.....(.....(.....r)..p.(........(u.....~<...(=...,z.....s....}.......}.......}............{............%......(>....%...D....%...!....%...%.........%....%.........s....(B...*vra..p.(....,...}....*..}....*..{....*vr...p.(....,...}....*..}....*..{....*z.{....,......(>...o?...s@...z*.0..(........{....-..(......o....&....(j

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):142384
                                                                                                  Entropy (8bit):6.161386138446645
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:+UGrszKKLBFa9DvrJGeesIf3afNs2AldfIQw:JBFd3/aFs2F
                                                                                                  MD5:E5BBE2EC664C81A0AFB7404F95959717
                                                                                                  SHA1:944B9B82457ADB652BEF4D516393E70845E6DBE9
                                                                                                  SHA-256:53494A667DA154CE4F00A176F9D4DBF34C24219241DC8CBBF1EBE3A5AC0B0DA7
                                                                                                  SHA-512:E643AA8C15F99B4DAC7782B4EEA15C3A9BFB179F9D6E0ADED7F999F4FC4D495F6A7B0A4CDB5B462E4A60E122CEBC3286B9A533D693C495A37BBE84A4CA4737DE
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......l.....@.................................X...O.... ..0...............0(...@...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):110128
                                                                                                  Entropy (8bit):5.5115380056194665
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:qPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/i7Hx7:qWw0SUUKBM8aOUiiGw7qa9tK/iR
                                                                                                  MD5:72767F14726F1045A522DCFDB72DFB13
                                                                                                  SHA1:8D8F878AD6FD9D98CD3E7CC59B0896553A90FA47
                                                                                                  SHA-256:A457917B4A6AB01243957CA4AD24C72798E49B496FD42B6ED75F7AB6AA292E0E
                                                                                                  SHA-512:AF7C0D246E7B1541B5B79D04BD433E2775F95E160C453E662DF8EAEF7698413D96FA55FDBAE3A1E263F2821503637088EB17DC4B2AAC8166A405945ABD44776E
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ...................................@.................................f...O.......................0(.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17968
                                                                                                  Entropy (8bit):6.674100789852014
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Hh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBY6:Hy9eEpYinAMxCA7
                                                                                                  MD5:BDF1852A03720021CA58E98C5D7FEF70
                                                                                                  SHA1:323A8FA28B83065E797A68B0705BE6EE51ADB0D2
                                                                                                  SHA-256:979090AE2923D45FBDD51B57B4C861140A5BD61CB9FE2D9AE03CEDDA9E8A62F6
                                                                                                  SHA-512:AF280A23D74E43EA67FEB52CD83F1DD776BC6004C4CF8D53CC67BBF98751E309895FE53553F8196E8DC9A93F84C40348BD7E5CA6FA4F5D9F429A184EA35B30F6
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ....................................@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19504
                                                                                                  Entropy (8bit):6.522690976795831
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:oyPa16oAL4D+wW9IWmDIW4IWYDcNyb8E9VF6IYinAM+oCFZkz+U:oWs6oqDjADKeD8EpYinAMxCYp
                                                                                                  MD5:3A7AA039FABEB4F6386AF98BACEC0232
                                                                                                  SHA1:6F5834497D52EBD14F9A857C5FA46879DE8E6AF2
                                                                                                  SHA-256:748784FA9FC1B2163559C407E57A83A0ABF1ED18A06C1209BF81E36E3DCDC557
                                                                                                  SHA-512:F3B2EC192020C171D376C7DAC14C5A105E70384C49940986105A9627793277B6724A59ECE9E77DCA0FF8CD5BF3D3780C557F51211B3D57ED0B272AD761D32FDE
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.............b2... ...@....... ....................................@..................................2..O....@...............$..0(...`......x1............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................B2......H........!..T....................0......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2r[..p.(....*B.....(.........*.BSJB............v4.0.30319......l...4...#~..........#Strings....t.......#US.@.......

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):42544
                                                                                                  Entropy (8bit):6.380524097436915
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:T9CYs62PirM9Mkvwtwq6uUQ/B0X5tl9wCVjkz3pVS3UpoztjOqNyb8E9VF6IYinO:T9rM94GX7nwOa5VS2ozdOqEpYinAMxCb
                                                                                                  MD5:0A47D3DEC633844E1DEABF0DF78E087A
                                                                                                  SHA1:C7C1AFC4B57BA915F63B74207D097FE57AE1B3A2
                                                                                                  SHA-256:DFCF6C95FFA5C8A87C5D1920C670395003B15F6458263D593AD68E4CBE1A2B27
                                                                                                  SHA-512:F628B02D5E735C080F7E2D4C0B7867CC338F2994AF3652CBA18349F84A5BB043EEAD2113A5F859AE0EF97F5CE8120A9C27E4AF1DC663E9BB609E51BFC7796911
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R.f.........."...0..r..........&.... ........@.. ...............................#....`....................................O....................~..0(........................................................... ............... ..H............text...,p... ...r.................. ..`.rsrc................t..............@..@.reloc...............|..............@..B........................H........"..............\4..@Z............................................(....*.~....-.r...p.....(....o....s.........~....*.~....*.......*j(....rY..p~....o....t....*.~....*..(....*Vs....(....t.........*.(.....(....(......,..(....*(....*....0..I.......s....s....%.o....%s ...%rm..pr...p...(....(!...o"...o#...($...o%.....&..*...........EE........r...po&...,'..o'......r...po(...,....o)....Yo*......*..0..........(+...o,...r...p(-...(......,...%.. .o/......i./..|s0......-...(.....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1547
                                                                                                  Entropy (8bit):5.008195800038022
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FVruH2/+mV0PH2/+w39y:3sIk7O7RgdjdgFSagFgg+msg+w3w
                                                                                                  MD5:029F543956E8B235A70112C77912150A
                                                                                                  SHA1:8F8916C78D9D3E5F92C37BDD39D34CD3B79BECA6
                                                                                                  SHA-256:33720B1985FE3F07F13744963085FA641F452EC393C3C8987A6023D0BC493BD1
                                                                                                  SHA-512:CF6EF25E7FD7E0B04A4F76B1552621874DAAA43838D0C028E62D1AABFFCD57AC7086A174BE9D5AF283DE8E8F09B5B40505478978102A1D8351681532B3828A38
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):68656
                                                                                                  Entropy (8bit):6.105195641021154
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:wkwOyj5zzqIsN5PZPeW2UVf5WCmsxMVmD1SM1A6DRFsdDnWqYOpgEWEpYinAMxCR:JwO+zmzhr/WMIM1RDRF8DWqYuX7Hx3q
                                                                                                  MD5:786E884FB7DF208F85F19BDAD13DF6E1
                                                                                                  SHA1:F64A173A7C30D64C7283039D120F09B24EE6511F
                                                                                                  SHA-256:84484EF97BFB07F8F7CB7206FAC69DC906F2FD249CC0475369CE62BE81845E9A
                                                                                                  SHA-512:B0B7A5FEA35DCDDD2744F11EA42038F12B70E5B71DAAA2FA40E1DE335C19442000D96794020296ED65DDF49E92CF1DAA739994458668C8BEDB6B264561C04632
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v.o..........." ..0.............v.... ........... .......................@.......4....`.................................!...O.......................0(... ......l...8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................U.......H.......@T..,............................................................0..........(....(.....r...p... .....r...p..(......o......(.....o......(.....o..........s......[o......s....%.o........o......s...........s....%......io ...o!.....o"...(#.........,...o$......*......y.,........0..........(....(.....r...p... .....r...p..(......o......(.....o.......(%.........s......[o......s....%.o........o&.......s'..........s.......i.f...........io(.....(.........o).........,...o$......*.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):953
                                                                                                  Entropy (8bit):4.9874198404771155
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:JduPF7NhOXrRH2/dVxlPH2/FVQ7uH2/F9y:327O7RgdjdgFSagFw
                                                                                                  MD5:8C9F9547ABA4CD154FAA858695986C4E
                                                                                                  SHA1:667630B8AEA31C20C20EE569983B73028F0DBA21
                                                                                                  SHA-256:7DE06E53089587194D3669B5F2050B363CC2AC1BC66F0537EC4D7AD94357D46F
                                                                                                  SHA-512:C305E923A197E2C39813D423FE50D94F183E932BCC66DBEE5667AD7F4083254D50510E35ED3603555FEB4C42F580C8A1FA3D1568CC7305D22B79AB406607F836
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):349232
                                                                                                  Entropy (8bit):2.891103574883147
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:bwhVuqSb/jb5BEH8VAynnnnnnnnnnnnnnnDn+0:bN5x
                                                                                                  MD5:1905B32BD7DBD65D51E066D70ED8B6A3
                                                                                                  SHA1:1BC95603F4244BBD027C8181B2B968FBD4D32364
                                                                                                  SHA-256:2C7295B8F9741EA3AC6875460CEC8DD73E8AF43DCC1B8275F2C85BEDBD0E2F51
                                                                                                  SHA-512:1C9F63A85EECFFC3D26A21A1AB57D72D1E352D51EC20F9F573921FD972913F14B36968C8B087A5A8D87C15500F12E51767217D78802E9B603C787CB46E80F974
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R.f.........."...0......d........... ........@.. ..............................M;....`.....................................O........a...........,..0(..........P................................................ ............... ..H............text........ ...................... ..`.rsrc....a.......b..................@..@.reloc...............*..............@..B........................H........(..H"...........J..`............................................0..).........,t.....r...p(....-..r...p(....-..r...p(....-)+G(....(.........(....,.(....+*(.........(......,..(.... ....(....+.....s.........(.... ....`(......&..(....,.....(.....(....(...........s....(....(....%(....( ...s!........~....("....>..rA..p(....(#...($...rU..p(%...re..p.%-.&.+.o&...('...((.....*..........................>....Js)...%rq..p.o*...*..0..w.......(+...%-.&.+.(...+%-.&.+$~....%-.&~..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe.config (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1547
                                                                                                  Entropy (8bit):5.008195800038022
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FVruH2/+mV0PH2/+w39y:3sIk7O7RgdjdgFSagFgg+msg+w3w
                                                                                                  MD5:029F543956E8B235A70112C77912150A
                                                                                                  SHA1:8F8916C78D9D3E5F92C37BDD39D34CD3B79BECA6
                                                                                                  SHA-256:33720B1985FE3F07F13744963085FA641F452EC393C3C8987A6023D0BC493BD1
                                                                                                  SHA-512:CF6EF25E7FD7E0B04A4F76B1552621874DAAA43838D0C028E62D1AABFFCD57AC7086A174BE9D5AF283DE8E8F09B5B40505478978102A1D8351681532B3828A38
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):349232
                                                                                                  Entropy (8bit):2.891103574883147
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:bwhVuqSb/jb5BEH8VAynnnnnnnnnnnnnnnDn+0:bN5x
                                                                                                  MD5:1905B32BD7DBD65D51E066D70ED8B6A3
                                                                                                  SHA1:1BC95603F4244BBD027C8181B2B968FBD4D32364
                                                                                                  SHA-256:2C7295B8F9741EA3AC6875460CEC8DD73E8AF43DCC1B8275F2C85BEDBD0E2F51
                                                                                                  SHA-512:1C9F63A85EECFFC3D26A21A1AB57D72D1E352D51EC20F9F573921FD972913F14B36968C8B087A5A8D87C15500F12E51767217D78802E9B603C787CB46E80F974
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R.f.........."...0......d........... ........@.. ..............................M;....`.....................................O........a...........,..0(..........P................................................ ............... ..H............text........ ...................... ..`.rsrc....a.......b..................@..@.reloc...............*..............@..B........................H........(..H"...........J..`............................................0..).........,t.....r...p(....-..r...p(....-..r...p(....-)+G(....(.........(....,.(....+*(.........(......,..(.... ....(....+.....s.........(.... ....`(......&..(....,.....(.....(....(...........s....(....(....%(....( ...s!........~....("....>..rA..p(....(#...($...rU..p(%...re..p.%-.&.+.o&...('...((.....*..........................>....Js)...%rq..p.o*...*..0..w.......(+...%-.&.+.(...+%-.&.+$~....%-.&~..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1547
                                                                                                  Entropy (8bit):5.008195800038022
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FVruH2/+mV0PH2/+w39y:3sIk7O7RgdjdgFSagFgg+msg+w3w
                                                                                                  MD5:029F543956E8B235A70112C77912150A
                                                                                                  SHA1:8F8916C78D9D3E5F92C37BDD39D34CD3B79BECA6
                                                                                                  SHA-256:33720B1985FE3F07F13744963085FA641F452EC393C3C8987A6023D0BC493BD1
                                                                                                  SHA-512:CF6EF25E7FD7E0B04A4F76B1552621874DAAA43838D0C028E62D1AABFFCD57AC7086A174BE9D5AF283DE8E8F09B5B40505478978102A1D8351681532B3828A38
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):58928
                                                                                                  Entropy (8bit):6.156715381451213
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:QXZjAOF44/WlibUcNsEaHLBQD2LAN1LGk+CXdNTjRdg8eegCEpYinAMxCyd6gW:Qp5Fre8b/NOLCaENdGBCzXRdVeLD7HxC
                                                                                                  MD5:7F378E3B244D61A7812DF5D3AF545BAE
                                                                                                  SHA1:EF0F321D4EDB3BA46DEE6AE9D3F2B2BA242BCAAD
                                                                                                  SHA-256:DCCC80DC4DDDB1A1D17493BEC28BF66F1D25B439629B0EA78A90F477BB9A66F0
                                                                                                  SHA-512:756991A180A2D42AAD28BCBD38C357E88D0C229A8AAB8150DD4CB730AAC12E1B056D8388FAE5934E17CBA01BAE67E3444C6A7FEE42D513B6A6664C7729F40A15
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N............." ..0.................. ........... ....................... ......o(....`.....................................O.......................0(..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........W..0|............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..s....}.....s....}.....(......o8...(...+}....*..0...........{....o.....8......(.....s.......}D.....u....}C....{C...,........s....(....&+ms.......}F.....u....}E....{E...,........s....(....&+8s.........}H......u....}G.....{G...,.........s....(....&..(....:J.............o.....*.................0..I........{....o.....{....o.....+...(

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1191
                                                                                                  Entropy (8bit):4.971943087661362
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:JduPF7NhOXrRH2/dVQ7uH2/FVxlPH2/FV0PH2/+w39y:327O7RgdSagFjdgFsg+w3w
                                                                                                  MD5:B8E88B1C181AFEB535BFEA1155000E8E
                                                                                                  SHA1:EB9066E96542DCE5F35DBF2F1424FD79ACEBB65F
                                                                                                  SHA-256:5D094CC46FED5173A2B1BE4C8E5DBDB658D2C14ABD367C47DFC6F6EABD5F295C
                                                                                                  SHA-512:58459651D3358FDDD4114AB569786A2306338C08D27D3D449BE2084EAE9D4A619C5650D3699DCA6702AEFDE8F9E77FD9E56C87EF51D4A8CCB2A22A378C488C37
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):23088
                                                                                                  Entropy (8bit):6.501501704353423
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:1LOGTOwM15TRwLm6orgNyb8E9VF6IYinAM+oCyyme:1nMTR0PaYEpYinAMxCD
                                                                                                  MD5:6A451EAA2F614831B8F92DA3B3C14984
                                                                                                  SHA1:6A8761DFF53DDA2CF22C0B185684D3299979EC05
                                                                                                  SHA-256:8D7B1FB1598CE54737C18576727976861A3064EED20BC02B070DDB75F438C42B
                                                                                                  SHA-512:7B5ED62C323BCC725EF5E63315347674A5916F7720CCCA389BB594F6F0B73D574F04CA2C26D795F18DAD51834054B64007561A977F54058F6AF3B9B0706802FB
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\.\.........." ..0..(...........G... ...`....... ....................................`..................................F..O....`..L............2..0(...........E............................................... ............... ..H............text...4'... ...(.................. ..`.rsrc...L....`.......*..............@..@.reloc...............0..............@..B.................G......H........)..$............................................................~....*.......**...(.....*...0...........~.....o......,..~.....o......+i.s(...%.o.....%.o.....%.o.....%.o.....%.o....o ....%.o....o"....%.o....o$....%.o....o&.....~......o........+..*..0............(.......o....o.......o%...o................o!......(....}.......o!......(....}.......o!......(.....o#.......(....X}.......o!......(.....o#.......(....X}..............s..........%..o.....#....%........o ...&*...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1817648
                                                                                                  Entropy (8bit):6.551387792056093
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:G9EeNSPwEW3cFSI4Tfm3hvbHsjAJcAMkPk:G9Nzm31PMok
                                                                                                  MD5:9C2F6B1A38DDB691A45F6ED5EE311B24
                                                                                                  SHA1:A7EECFD000869CC6DDB2A180649D71C1D86F2AB2
                                                                                                  SHA-256:4B86945BAFE5BD2381A83922ED2EFA4E6D06F998E6265E5B668718D4485E61FB
                                                                                                  SHA-512:47BF6E6E2A171C67FFF7579C95392DC50EFCA0B1F416438F49CA063C22411AC66FBC82B473358243DB499A50E2CBCBEE6B42A343C627A7F90908C8C3F7BD1DF6
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........nN\.. ... ... .Q..... .Q...e. .Q..... ..Q#... ..Q%... ..Q$... .8..... ..].... ...!.~. .rQ(... .rQ ... .wQ.... .rQ"... .Rich.. .........................PE..d.....d.........." ......................................................................`.................................................P...x................!......0(...........@..p............................A...............................................text...0........................... ..`.rdata...1.......2..................@..@.data....`... ...J..................@....pdata...!......."...P..............@..@.gfids...............r..............@..@.rsrc................t..............@..@.reloc...............~..............@..B................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1436208
                                                                                                  Entropy (8bit):6.781367706688584
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:3s5ThI+vIjDEzn7tcBGtYnxLbdVlRdouD5RawYkGq78Yr4i9YE1tOvhefHXCvEsQ:alI+vIjE7mjOuKa8Riy+gvhaIn2+0n
                                                                                                  MD5:41CDFA24B08B989CD6DEE220341BABA8
                                                                                                  SHA1:E7D53A4DEA83B7F43E34FB9154A7BCC2D0AC76CF
                                                                                                  SHA-256:1EF78A50CF2211641B86F93D1DD15142C7657250E2B134C204F95C83D256A346
                                                                                                  SHA-512:AFD93EE3F9F9897C45DA2AA639153EA06621B0A9DBC67210F7617389BF79C7449F1CB80036B66EA39C318121F9F6697EF8BF945958E882DC0812D85247B497E4
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..{2..(2..(2..(.*W(...(.*U(...(.*T(...(..)%..(..)'..(..)=..(.Im(:..(,.5(1..(2..(...(..)3..(..)3..(..Y(3..(..)3..(Rich2..(........PE..L.....d...........!.....f...X......................................................./....@.........................P...t.......x....`..................0(...p..X...@...p...............................@...............H............................text....d.......f.................. ..`.rdata..............j..............@..@.data....8.......,..................@....gfids.......P.......&..............@..@.rsrc........`.......(..............@..@.reloc..X....p.......2..............@..B........................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent.zip

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                  Category:dropped
                                                                                                  Size (bytes):582537
                                                                                                  Entropy (8bit):7.999529358280024
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:12288:jFWPADWqxzsjJ/91r5+50BxeCMJuzjFxI5RWV7ZK5j:E8WQzz50Bxel0jzZU
                                                                                                  MD5:8C3A8B04727329AE1B41873E81F360ED
                                                                                                  SHA1:EF4647DAB3A94EF49769FC35DED7C9DD2E506A8F
                                                                                                  SHA-256:EF5E5D94D5EACDCEDE92FB99FC3439EDD44FE53E352ABE058FBB46E43066AB6D
                                                                                                  SHA-512:A47D96A9C97C6C6A5972182C5797C0B1B6A15B9DC7017CFE7798061540C5C686426473BA502B2949D0AA16547D92758E735BCF8CDA1C09A0326B14479239A6BB
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:PK..-.....!gqX..*........5...AgentPackageUpgradeAgent/AgentPackageUpgradeAgent.exe....0........a......e......C..\....#U....w.R(..xp.sg..,.N....D...m..5T.ur@.....xt$..A.x......J!..9...32F3.:@1>(...{;..,R7w%..T,<..d..R.......m.....u>..F.G...+.`@|..v.VL....4..7..e.u..w[.6.;.g...Y.4.x.LZ3......~......2.cK{....h..0.]3.4i...[.z%.o..~/.....3.....1....i.L..Yy..C..=.......t../..W.R...z.2...%./..>.......~,..j...|.i...95.A.O.. .p.P.YD.(.Z...:5kh]....:z..J.q...rO..I.l..d.?f+7..E...Eu..o..w......l..&.)..I.K....%8.f...)F_u.8.d...U....K,@..}..PD!..M1.Xm.G...:...?i!A.R....rE....suo.....{sC..+.a.......d..4.qf.3%.v64.....P...I..O.7...8..h..........Z..N...+.I.t..^p.......B.p..@.".D.+..#7..lr.$...NX.n.........g...F..e.L;..NIE%.......`.....1...K.H_.Xm....=_IO.b..m....2.u...ho ........:Fs-{......v..'...0LgGvIi_...%..[i.8....r..<.L.4...=.@...kS"NK.R@"X...+..9..Z...".....@..8|<.z...N..../j.Ns={.......xd.G..#F8.ei . .e...s.g.....fW..y....U..#.d.........z..i..D.....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):52272
                                                                                                  Entropy (8bit):5.836724024105667
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:ExCQ5h7KT77yxeqGLQOFfxicft9w56PzePEpYinAMxC6:ICQ5hGP7T3kSBft9w56P6o7Hxd
                                                                                                  MD5:6095B43FA565DA44E7A818CFB4BACBA2
                                                                                                  SHA1:0613CAB68FFB3903A18ED5F4967D52B4815D2499
                                                                                                  SHA-256:9FBC99E85F5FA709D0D21854D4FE1FD420C7DEC8EC1F7105BE74EEB282EFFC8C
                                                                                                  SHA-512:D0A27917F420968355AF04D572D597F83D8011A86E9C32546C0A7BE493556AE0618894DDA04CADC935A16264D7685823425D1E57F1A0873F0119A74664F88956
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._..e.........."...0.............6.... ........@.. ..............................Q.....`....................................O.......x...............0(........................................................... ............... ..H............text...<.... ...................... ..`.rsrc...x...........................@..@.reloc..............................@..B........................H.......\M..Ph...........................................................0..Y........o.......+C......o......r...p.o....t%...r...p(....,.........,..o.......&....X....i2..*..*...........$;..........8G.......0..#.......~....r/..po.......(....}.....{....(....,.rw..ps....z..{....o......r...p.o.......r...p.o....t%...}.....{.....(....,..r...p..o......}......}.....r...po.......r...p.o....t%...}.....{.....(....,..r...p..o......}......}.......,..o.........5.,..o......,..o......,..o....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):535
                                                                                                  Entropy (8bit):5.076084597400077
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:MMHdG3VO3rdZRLNFF7ap+5v5OXrRf/2//FicYo4xm:JdfrdDPF7NhOXrRH2/d9r
                                                                                                  MD5:D505E3DE03F172FA2B246E210054C5F7
                                                                                                  SHA1:F5A480F56F760EEBA3B29108387E54D70A721127
                                                                                                  SHA-256:A568F933F09B1AD1EE5E88DDCFFA1FE5921D18B73477136E1FAEE55F2BEF399A
                                                                                                  SHA-512:80F01447B43525DBDF5B283522FE14D9AECEF16E55EA3FE36DC0A94B53C49E03BB56136F0911C348FB78FB5AF6112B1DE7C38CBFFBD73ACB2971655EF1B2B859
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.ini

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12
                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:WhXTLd:WBTp
                                                                                                  MD5:B1DE0EF19266A86B8F7A2BCD03ECD23B
                                                                                                  SHA1:AB91C344BFECEF0CDB73119D4C5C72BAA8CD21E7
                                                                                                  SHA-256:50578EB887B529FB77AFAA4F3A888ECA57E2D640F4789BBEE470F1EFF04DEB7F
                                                                                                  SHA-512:656C69FF2C62F2704AC409AA3B04CB78B9767FE908BD0BE4C6977A469B68D7C5F83B786EE915BECF5244E70892A48A92B9D0CA9A767EA329B63A6EAD98F9F274
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:version=26.8

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):96816
                                                                                                  Entropy (8bit):6.180127833270033
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:ZJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7Hxw1:ZQUm2H5KTfOLgxFJjE50vksVUfPvCY
                                                                                                  MD5:F8FE512BC57CBF44998221FD3C5944F4
                                                                                                  SHA1:7AAC2422B394A66FDAFA69B63CFF174ACCA1C867
                                                                                                  SHA-256:5D8527636659FAFA79AEB46A6C235C9C302EBEDF08196700C38C6592A404F71F
                                                                                                  SHA-512:AB5BCE24D24F441438A7DFD3E525511DFA2A865EC93BC39F25B5DD46E99EECEC8D2A0FB181BCBBD99D71F366FB00A47751B41A5926AA1031ACE905E453982E65
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ....................................`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):186416
                                                                                                  Entropy (8bit):5.93420260026271
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:+kfZS7FUguxN+77b1W5GR69UgoCaf8/BCnfKlRUjW01KyFeJ:o+c7b1W4R6joxfQ8Q
                                                                                                  MD5:A22369218A10056E810C621DB7F390CF
                                                                                                  SHA1:17B681E178D96185987EFBF578DFD340A5FBF356
                                                                                                  SHA-256:987534702FC690CFB0C8B21691C91FF42268FD21C27925D93F0F788FBE03EE80
                                                                                                  SHA-512:6D49C50DF7599799902C7544C6B60300B8C2736719C408E828306ED7839EAC63AD5FC003E5FCA0F25623FBBED7244E0BE4F5EC2D7C6C529C53944603088B61E2
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..Z.........." ..0...... ......~.... ........... ....................................@.................................,...O.......................0(........................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):331824
                                                                                                  Entropy (8bit):6.169000089371824
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:QBhhiUWKJzPZNRntAXIjxs2f5Jg53XWlvidurmdIq8KmefViYkJTVBXi3VaKtNT6:QDMUWITZznu85k8Wdn8KmCjIFi3VvG
                                                                                                  MD5:DDA5C3CE3FDBDD8A7EE32FD4C52E1A7A
                                                                                                  SHA1:8C01C9943BDBA54ED58FA308408AB5961647FF03
                                                                                                  SHA-256:42DBAE4DC463C840A39C9DC5A0DB218C565013EAF08CE2340DF78E1F83A3F0CC
                                                                                                  SHA-512:4C10E61D86F3822FFEFFDA55B0A0C6063C1AEDB9AF200A5747CA4F84754C396D88ECDCF25F54834EDCCDF303AFDAF6FF25116445C381AB77190A78AE3C286136
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@.......i....@.....................................O.......................0(... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............9..............H.............................................{....*..{....*V.(......}......}....*...0..A........u3.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q6....6...-.&.+...6...o.....%..{.......%q7....7...-.&.+...7...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u8.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):710192
                                                                                                  Entropy (8bit):5.960836949197253
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:0Bja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUG:0Bjk38WuBcAbwoA/BkjSHXP36RMGj
                                                                                                  MD5:9B18B6E518E2088BC98D77C3ED163319
                                                                                                  SHA1:4F6C785597BBAB2BCAFE0527E99F2271D334B628
                                                                                                  SHA-256:ABBD5647F1F025E7D0B1148E909B3CE9D9CFEA3B737B156889C0EE33F4C42C92
                                                                                                  SHA-512:A2EA7FD06834A047AE64CDFA762CD55A8BC486912933E254EA565E1294C75CFA24DB66990C87881B05156F5549FC7E695E2439E736B7435EF8FABE7B36A5EF51
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):55856
                                                                                                  Entropy (8bit):6.238978848951217
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:hREoc0f5k1KlLoz0WOySMEpnSO7iX16UJKdiYpBEpYinAMxCWLg:hR8+5k15z0WBZEtgwJq7Hx3U
                                                                                                  MD5:DFFF197E97490BB88ACF7EBB14870A4C
                                                                                                  SHA1:F355204DCB7F9045A91F3C6E20AB9D54C42A1B6C
                                                                                                  SHA-256:65AA35A36E77421CAAE591068E7C3AD23E1DFE3D51D5FBF39F8F308B4F19970E
                                                                                                  SHA-512:6F450AE14BC9EE67D99E894CD1F256F7D6885D03C8BEC8AD449F26B0D2FA64036763432BBF69D5887C7053E7BF5B2EFC4030C584731054B5FF4F6EB335C16C15
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....<V.........." ..0.................. .........c. ....................... ......J>....`.................................P...O.......H...............0(........................................................... ............... ..H............text........ ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B........................H........".................."..P............................................................................................0.......................0.......................................................................................0...............0...................................................................................................0...............0...................................................0...............0..........................................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):602672
                                                                                                  Entropy (8bit):6.145404526272746
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                  MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                  SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                  SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                  SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):73264
                                                                                                  Entropy (8bit):5.954475034553661
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                  MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                  SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                  SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                  SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):753
                                                                                                  Entropy (8bit):4.853078320826549
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                  MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                  SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                  SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                  SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallState

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):7466
                                                                                                  Entropy (8bit):5.1606801095705865
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                  MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                  SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                  SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                  SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):145968
                                                                                                  Entropy (8bit):5.874150428357998
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                  MD5:477293F80461713D51A98A24023D45E8
                                                                                                  SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                  SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                  SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1442
                                                                                                  Entropy (8bit):5.076953226383825
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                  MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                  SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                  SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                  SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3318832
                                                                                                  Entropy (8bit):6.534876879948643
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                  MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                  SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                  SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                  SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):215088
                                                                                                  Entropy (8bit):6.030864151731967
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                  MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                  SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                  SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                  SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):710192
                                                                                                  Entropy (8bit):5.96048066969898
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                  MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                  SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                  SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                  SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):602672
                                                                                                  Entropy (8bit):6.145404526272746
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                  MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                  SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                  SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                  SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):73264
                                                                                                  Entropy (8bit):5.954475034553661
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                  MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                  SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                  SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                  SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\log.txt

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                  File Type:ASCII text, with CRLF, LF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):257
                                                                                                  Entropy (8bit):5.218395581698955
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:Ao4fiWs89w3pKFSQY1dn9DFDfFDEfVIFDf4DX:L4fO7MSQY1xZEfEoX
                                                                                                  MD5:1FC97E320635CCD7AC127CD5068C7375
                                                                                                  SHA1:05F7BBCDE31F837A412649B1B31605930C744A01
                                                                                                  SHA-256:1B5F1E9453E9A51378157FFC71272E1D3DB4DC50E90D6BB64F49FF7EAB43C58C
                                                                                                  SHA-512:78F79D194573C5831E5DA901340F8B9BF2CAFEECB0758C0E9A514499403203BFBE5AAB150D9E41627ADFBBB772487ABD13E2F12D494C64486BDD7C1E1383018F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:/i /IntegratorLogin=apae.leticiarozanski@gmail.com /CompanyId=1 /IntegratorLoginUI= /CompanyIdUI= /FolderId= /AccountId=001Q300000LJyPNIA1 /AgentId=b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1.15/08/2024 18:34:17 Trace Starting..15/08/2024 18:34:29 Trace Starting..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\inprocmessaging\trayProcessMessages.json

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):178
                                                                                                  Entropy (8bit):5.21680614479657
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:5PbTsPJHVAxJU4qgpIvJrbWw6UgMHDxYpzhgRyq/pYRh6RlSEfrsf3J2MzqRI+OS:RbTGexJBqgmR/ZRgMHDAzhl6bPj25rmD
                                                                                                  MD5:152DCD696FAE5F4256F0A0F7707EE53A
                                                                                                  SHA1:E902A5EDB44EFB3F452875F9D4842B068E0D9192
                                                                                                  SHA-256:F1C74BA3AFCA441967C98EBC7DE691B3C9144A72A3B29D10569C58720DE1BC2E
                                                                                                  SHA-512:65085831424E1E265969B7FD3283B9EBA90B37DE204F69C6373BE636D56A0180CAB12B376C9EEDB862D815E2D475DE09084FA45E3B2C27A4829756B9208B56A9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:eyJJZCI6IjljZjJlNWRhLTg4YWEtNDg1MS04ZjVhLTgzOWRlMDBiMmJlNCIsIkNyZWF0ZWQiOiIyMDI0LTA4LTE1VDE4OjM1OjEwLjE4OTI4NzktMDQ6MDAiLCJNZXNzYWdlIjoiX0lOSVRfIiwiVGltZW91dCI6IjAwOjAxOjAwIn0=..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:ASCII text, with CRLF, LF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):257
                                                                                                  Entropy (8bit):5.218395581698955
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:Ao4fiWs89w3pKFSQY1dn9DFDfFDEfVIFDf4DX:L4fO7MSQY1xZEfEoX
                                                                                                  MD5:1FC97E320635CCD7AC127CD5068C7375
                                                                                                  SHA1:05F7BBCDE31F837A412649B1B31605930C744A01
                                                                                                  SHA-256:1B5F1E9453E9A51378157FFC71272E1D3DB4DC50E90D6BB64F49FF7EAB43C58C
                                                                                                  SHA-512:78F79D194573C5831E5DA901340F8B9BF2CAFEECB0758C0E9A514499403203BFBE5AAB150D9E41627ADFBBB772487ABD13E2F12D494C64486BDD7C1E1383018F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:/i /IntegratorLogin=apae.leticiarozanski@gmail.com /CompanyId=1 /IntegratorLoginUI= /CompanyIdUI= /FolderId= /AccountId=001Q300000LJyPNIA1 /AgentId=b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1.15/08/2024 18:34:17 Trace Starting..15/08/2024 18:34:29 Trace Starting..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Acknowledgements.htm

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Algol 68 source, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):157873
                                                                                                  Entropy (8bit):4.753497932507659
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:ZHXt/BWDLm8arfT4h6+2j+S64ioX+g15titNI6cSM:gDLmtrfT4hj2ju0X9wGSM
                                                                                                  MD5:AB3D7C0401590BBDAF4B3C84592D24D6
                                                                                                  SHA1:756F86B49CA2035638F77BBEB60CFE6A827B553E
                                                                                                  SHA-256:4428A8B3F1A63312918FF5F8E1D5EE1F6EEBA9D73A336721338D494D2B6E5F6C
                                                                                                  SHA-512:24AAC8D02347EF3E226531CA15B71714CB53546C7AA1B4D961A72E097C3528AE2590B00ECBAA7E80815E99FAFB6919D234E957DFCD08467CD753B24C004B6124
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:<pre>Acknowledgments....This Splashtop software incorporates materials from third parties, the use of which is hereby acknowledged.....================================================================....AES....Copyright (c) 1998-2010, Brian Gladman, Worcester, UK. All rights reserved.....The redistribution and use of this software (with or without changes)..is allowed without the payment of fees or royalties provided that:.... source code distributions include the above copyright notice, this.. list of conditions and the following disclaimer;.... binary distributions include the above copyright notice, this list.. of conditions and the following disclaimer in their documentation.....This software is provided 'as is' with no explicit or implied warranties..in respect of its operation, including, but not limited to, correctness..and fitness for purpose.....================================================================....CELT....Copyright 2001-2009 Jean-Marc Valin, Timothy B. Terri

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):310280
                                                                                                  Entropy (8bit):6.406682858396138
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:B2ewUPD+fCEWepqJ1u45FC9xrIaPXiyVfl/7RohyyP16+Dfj8d3:NRPD+KLepIu4qnrIBy/7RoPfO
                                                                                                  MD5:FB1A6F0CB84ACB237FF0E42E5CF876A6
                                                                                                  SHA1:6CDEBFA5ABBF7BA48179DFF13A1343F3C4D9348F
                                                                                                  SHA-256:DA5E12D077875B4F93210B10689F28B6EF33480E3BD2362E80F11EDFF8C9966D
                                                                                                  SHA-512:2602908AB2FAF07C1957DAD00960F6432D08BDD7327DB96D1338C87B1E18CB025B381378BA4BC800F558D26D76922E5882481A99B17575D3D48208C289EE3B8D
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........PC..C..C......H.............Q....R....I...........F..C../..W...B..W.[.B..C.3.B..W...B..RichC..........................PE..d.....0e.........."....$............H..........@.....................................u....`..................................................F..<.......H.......H'.......(..........@...p...............................@............................................text............................... ..`.rdata...@.......B..................@..@.data....+...`.......F..............@....pdata..H'.......(...Z..............@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..............................@..B........................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK_x86.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):249864
                                                                                                  Entropy (8bit):6.627715385431378
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:gbNEPN9Db8oxccZd8lZOWb1yBGAOnpe6nbXcw:gc/8oxc5yBGVpJbXcw
                                                                                                  MD5:151AAE6C0F0E40AB4138AF953768AB37
                                                                                                  SHA1:18F55A0707EE7140776D7857D0AF56D471289960
                                                                                                  SHA-256:F253CE8A8C4CDC4FD7A93A04515B208D461FF6E4076F64431E7EC7E9E5E08923
                                                                                                  SHA-512:40FFF8741C8AFB0EF2E6F8F69755F8A2E1F6422943341BBE680EEEFE939731F39E59D1C608B7C23AA649C3F2D93E6104E6B420A755F551F555504E1028B91C68
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.B.>},.>},.>},.../.3},...)..},...(.(},...(./},.../.+},...).q},...-.;},.>}-.]},.*.%.?},.*..?},.>}..?},.*...?},.Rich>},.........................PE..L...+.0e...............$.....2....................@.......................................@................................. p..<.......H................(....... ...H..p........................... H..@...............h............................text............................... ..`.rdata..J...........................@..@.data...p............n..............@....rsrc...H...........................@..@.reloc... ......."..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\64bits\stgamepad.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):40160
                                                                                                  Entropy (8bit):6.316240044981803
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:3z+6yz3JqnYCblcp6wOmMQC4cT3AZ21w6LuOBjEwXxyvJ3GB1C2GCTaZum8e:3ByY12kwOm8s2diSXCIB1yC2HT
                                                                                                  MD5:1033D6EFB14B7C8308A261E7151A8FDD
                                                                                                  SHA1:C331C67E93DA33EAAAAA0A4033855F185A79DE99
                                                                                                  SHA-256:6A14EFEE1EAD8592B0E5199DB4E7256462F135D6DC10A803D98D03CFC4F1E678
                                                                                                  SHA-512:083C365FD00BDED1637CBA2DDCE2FC3D93A8C60122F01CCD675A13EFF4C7663EE0FCE1B3316755FC971B3A3E6D242E29236180508D03C803950E2159B374767B
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........wU.............f.......f...............f.......f.......f.......f.......f.......f......Rich............................PE..d...7.#R.........."......`..........t..........................................................................................................(.......P....`..x...............4....B...............................................@...............................text....".......$.................. ..h.rdata.......@.......(..............@..H.data... ....P.......4..............@....pdata..x....`.......8..............@..HPAGE....f0...p...2...<.............. ..`INIT.................n.............. ....rsrc...P............x..............@..B.reloc...............~..............@..B........................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\install_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):224
                                                                                                  Entropy (8bit):4.68750285687923
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajs/dCiI4FDIIlfILQIIbdELV0Lr+FDIIGKhaL3C:kidCiRxt2QjdRCxeKcL3C
                                                                                                  MD5:EBC2A6216B737E813732ECA1BB1F2AF2
                                                                                                  SHA1:6E63AB58C2055A3F276C1CD36FA406E37C099099
                                                                                                  SHA-256:275C9771ED3AC2ABE0989A114804ADD0CCED09F8A1BFF1633C4F79929921713B
                                                                                                  SHA-512:248CD17E4836B429DF0923E8C04FD3F8ECAB7CC8BFF6761F06AAED420111FF5DBADCC974193701DEBF63655CD79E8E0D0B6C7599760B13ABA19B5C0E178BF7EC
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..utils\devcon.exe /r remove root\stgamepad >> inst.log..utils\DIFxCmd.exe /u stgamepad.inf >> inst.log..utils\devcon.exe install stgamepad.inf root\stgamepad >> inst.log..utils\enum.exe -p 1000 >> inst.log

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\install_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):232
                                                                                                  Entropy (8bit):4.776744518403625
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajs/dRLPI4FDIIlBILQIIbdRL6V0Lr+FDIItGKhaL3C:kiddRxr2QjdHCxwKcL3C
                                                                                                  MD5:4AD78E888894B3F89711D75D526E2D9A
                                                                                                  SHA1:A01DD7B5F20052AB27B721127DAB01A34666D4D9
                                                                                                  SHA-256:8B82E0E205711B8A22939AB86BF955DB938D2A733F57E48404DD118B5DDB9AE5
                                                                                                  SHA-512:CD6C972070593A6FE09778BC043C84CABE61E96FC3EA1B529D993540678AE0E99A641BFFAB87B3AE954977F0C0A9C639185889421225C185615C4EC34A8699F3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..utils\devcon64.exe /r remove root\stgamepad >> inst.log..utils\DIFxCmd64.exe /u stgamepad.inf >> inst.log..utils\devcon64.exe install stgamepad.inf root\stgamepad >> inst.log..utils\enum64.exe -p 1000 >> inst.log

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8955
                                                                                                  Entropy (8bit):7.156854915296666
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:3F37o7MECwCNnYe+PjPGr9ZCApkT1rrZgjlerpLF+vc1rbrRnJ4aTT:3NEuwCNnYPL/p1P6jeL3JrRiaT
                                                                                                  MD5:214E5DB2F6D3FF72B6E4F3BACCD7ECB0
                                                                                                  SHA1:64CC6A8F3E79BFA0301924D4A18370CFDD8ED955
                                                                                                  SHA-256:C23C1C358705DCE49FD6D1BEB1B0482F74DFCE35FEE7AE4D0C79390385FD22F9
                                                                                                  SHA-512:E31E2455A7014937F3E9ECA05D192320CF6159CED333888C6612BE36453F72D76F1015FC1306D41F41CD5F4CB206028ECD99C0F28505D29B6E9E0F497D231D17
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0."...*.H........".0."....1.0...+......0.....+.....7.....{0..w0...+.....7........'PP.M.B.....v..130902014741Z0...+.....7.....0..e0....RA.6.6.8.6.5.4.3.B.1.2.3.6.6.1.8.8.6.3.A.1.F.A.6.3.F.A.2.B.1.4.F.A.8.A.E.5.4.F.A...1..k0>..+.....7...100....F.i.l.e........s.t.g.a.m.e.p.a.d...i.n.f...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........heC.#f..:..?..O..T.0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RC.C.2.3.0.0.C.3.E.9.D.5.2.9.0.A.2.A.4.0.6.2.7.3.A.0.F.8.3.5.8.1.D.3.7.F.F.0.1.8...1..s0>..+.....7...100....F.i.l.e........s.t.g.a.m.e.p.a.d...s.y.s...0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1598
                                                                                                  Entropy (8bit):5.348428467214068
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:BoJAo10StKRqv8rI3OB/7wBZBZhvC3R7YxGcSF+125dLH/kvGPGo:BoJbkEvReNErZZcQ125CvQR
                                                                                                  MD5:5AE5F4B07FABDB969DDA6425E54C4DDD
                                                                                                  SHA1:A6686543B1236618863A1FA63FA2B14FA8AE54FA
                                                                                                  SHA-256:489CFA94B8FAEA97E0CF73714A65890418247BF34023DC4FDEBB03EF233B12F9
                                                                                                  SHA-512:C8751CF986E7A2800924D9707FB40AA95F5EE2431E16D5EEDC583FEA1F5351C95BF3FD90AC0EBD81AFC7262FBFA6C452BF1CA1B908E7360515970F146D0D6E50
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:[Version]..Signature="$CHICAGO$"..Class=System..ClassGuid={4D36E97D-E325-11CE-BFC1-08002BE10318}..Provider=%splashtop%..DriverVer=05/21/2013,1.0.0.0..CatalogFile=stgamepad.cat....[SourceDisksFiles]..stgamepad.sys = 99....[SourceDisksNames]..99 = %DISK_NAME%,,,""....[SourceDisksNames.AMD64]..99 = %DISK_NAME%,,,\64bits....[DestinationDirs]..DefaultDestDir = 12....[Manufacturer]..%splashtop% = Vendor, NTx86, NTx86.6.1, NTAMD64, NTAMD64.6.1....[Vendor.NTx86]..%splashtop.DeviceDesc% = StGamepad_Install, root\stgamepad....[Vendor.NTAMD64]..%splashtop.DeviceDesc% = StGamepad_Install, root\stgamepad....[Vendor.NTx86.6.1]..%splashtop.DeviceDesc% = StGamepad_Install, root\stgamepad....[Vendor.NTAMD64.6.1]..%splashtop.DeviceDesc% = StGamepad_Install, root\stgamepad....[StGamepad_Install.NT]..CopyFiles = StGamepad_Install.NT.Copy....[StGamepad_Install.NT.hw]..AddReg = StGamepad_Device_AddReg....[StGamepad_Install.NT.Copy]..stgamepad.sys....[StGamepad_Device_AddReg]....[StGamepad_Install.NT.Service

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):33504
                                                                                                  Entropy (8bit):6.4990196288743425
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Uwyk2eCK3PRiZ1bcvrlEeT0OEM859sKkgTvEakiX5vFmXhBcfoaM8l1l3nzWPDP8:UupCJeT5EgKkgTMa3VFMmAalaPzumy
                                                                                                  MD5:4C3233F0B9A5BC7B58B464C9E1E86D52
                                                                                                  SHA1:FCCE254ED5DF8DE6D21623A6E53FA2AEEE030365
                                                                                                  SHA-256:832328B8DD98D51A9CE29C3953E85AFB036964299B93B9FB929023F15C63AD9A
                                                                                                  SHA-512:884A22B0CE16B91B1A04D6B5E99678CC584484FF5BE3D92ADDB27F0E9D58BFF57A9716C843789F9BD59EC79A55EF342DFD2A0EF39C6E7776CD4FC0211EE8DFCF
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........i...i...i.......i.....i...h...i.......i.....i.......i.......i.Rich..i.........................PE..L...5.#R.................N..................0.......................................;..........................................<.......P............f.............. 1...............................................0...............................text...(........................... ..h.rdata..V....0......."..............@..H.data...4....@.......*..............@...PAGE.....%...P...&...,.............. ..`INIT....8............R.............. ....rsrc...P............\..............@..B.reloc...............b..............@..B................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\uninstall_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):154
                                                                                                  Entropy (8bit):4.715757968072225
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:jTDVBF+jVy9kCCWo7EIbd/KiIKTAxsHs2yo7EIl2YILzDoC:/AjsC3IIbdCiI4FDIIlfILQC
                                                                                                  MD5:5D33C035F7B22B463DBD01BC0D31C9E9
                                                                                                  SHA1:5345461EF02D330178F047FFBD40C5F4B142A416
                                                                                                  SHA-256:45C7D88A3D4643220137D23DBE0EB5CE45DFB6AD16EDC1D6EE4CA8FD1C41AF49
                                                                                                  SHA-512:88E339E01417D6EFAA8271E6F3A9D077711508A3EE4D0CF3A95E6607C0282D201633113EACB8A142189F54476AD7B501EAEEA5AC2D9297A06B1A7A55D73B8940
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..utils\enum.exe -u 0 >> inst.log..utils\devcon.exe /r remove root\stgamepad >> inst.log..utils\DIFxCmd.exe /u stgamepad.inf >> inst.log

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\uninstall_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):160
                                                                                                  Entropy (8bit):4.807126999960993
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:jTDVBF+jVy9dJFtCWo7EIbdRLX/IKTAxsHs2yo7EIl3xILzDoC:/AjsZW3IIbdRLPI4FDIIlBILQC
                                                                                                  MD5:D0E7FCE8A8281FC10CB9548299254079
                                                                                                  SHA1:112A4EA65D2CC4A1C57EB6967AC058C8EDE341DE
                                                                                                  SHA-256:11F757D09B095A89D52A990149379618551D88E92E1C9BEEFED243A083487260
                                                                                                  SHA-512:8132F0DFE0071D3CA3CC5D4CD6ED2634E61314BF6BB84AF5B5F97261E3E26601F1C6AA5C8ABBDA596639CAF4C0E2AFC3A2DE46BB92C199894DD5CFC2DF519CFF
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..utils\enum64.exe -u 0 >> inst.log..utils\devcon64.exe /r remove root\stgamepad >> inst.log..utils\DIFxCmd64.exe /u stgamepad.inf >> inst.log

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):9728
                                                                                                  Entropy (8bit):4.7653420469834185
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:F+0YcUgZN/zSbTyB9Bs+VC+k5JEdVMNuE:F+oUgZN/zSbTysOC+k5MVs
                                                                                                  MD5:1EF7574BC4D8B6034935D99AD884F15B
                                                                                                  SHA1:110709AB33F893737F4B0567F9495AC60C37667C
                                                                                                  SHA-256:0814AAD232C96A4661081E570CF1D9C5F09A8572CFD8E9B5D3EAD0FA0F5CA271
                                                                                                  SHA-512:947C306A3A1EEC7FCE29EAA9B8D4B5E00FD0918FE9D7A25E262D621FB3EE829D5F4829949E766A660E990D1AC14F87E13E5DBD5F7C8252AE9B2DC82E2762FB73
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jp.....V...V...V.ivV...V.igV...V.iaV...V...V&..V.iqV...V.icV...VRich...V........PE..L....zZP.............................#.......0...............................P............@...... ..........................d(..P............................@..l.......................................@............................................text............................... ..`.data...x....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10752
                                                                                                  Entropy (8bit):4.547294400796419
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:yg/LSSz/NZS+cI818WJ6TPPeqj6wnzX/bHz3coD:yg/LSSz/NZSBITOg6+D/X
                                                                                                  MD5:F512536173E386121B3EBD22AAC41A4E
                                                                                                  SHA1:74AE133215345BEAEBB7A95F969F34A40DDA922A
                                                                                                  SHA-256:A993872AD05F33CB49543C00DFCA036B32957D2BD09AAA9DAFE33B934B7A3E4A
                                                                                                  SHA-512:1EFA432EF2D61A6F7E7FC3606C5C982F1B95EABC4912EA622D533D540DDCA1A340F8A5F4652AF62A9EFC112CA82D4334E74DECF6DDBC88B0BD191060C08A63B9
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................................................Rich....................PE..d....vZP.........."...... ..........(%.......................................`.......`....@.......... ......................................4+..P............@...............P......p...................................................8............................text............ .................. ..`.data........0.......$..............@....pdata.......@.......&..............@..@.reloc..8....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):77824
                                                                                                  Entropy (8bit):4.995224286140262
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:3zrhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkA:3+KY04RMmSCYmBiF4O7WT
                                                                                                  MD5:B40FE65431B18A52E6452279B88954AF
                                                                                                  SHA1:C25DE80F00014E129FF290BF84DDF25A23FDFC30
                                                                                                  SHA-256:800E396BE60133B5AB7881872A73936E24CBEBD7A7953CEE1479F077FFCF745E
                                                                                                  SHA-512:E58CF187FD71E6F1F5CF7EAC347A2682E77BC9A88A64E79A59E1A480CAC20B46AD8D0F947DD2CB2840A2E0BB6D3C754F8F26FCF2D55B550EEA4F5D7E57A4D91D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P............@...... ..........................lm..........p....................@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):81920
                                                                                                  Entropy (8bit):4.977706172799676
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
                                                                                                  MD5:3904D0698962E09DA946046020CBCB17
                                                                                                  SHA1:EDAE098E7E8452CA6C125CF6362DDA3F4D78F0AE
                                                                                                  SHA-256:A51E25ACC489948B31B1384E1DC29518D19B421D6BC0CED90587128899275289
                                                                                                  SHA-512:C24AB680981D8D6DB042B52B7B5C5E92078DF83650CAD798874FC09CE8C8A25462E1B69340083F4BCAD20D67068668ABCFA8097E549CFA5AD4F1EE6A235D6EEA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......|.....@.......... ......................................X}..........p.......T............`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11776
                                                                                                  Entropy (8bit):5.289815206775557
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:Qexcism3zhYFH1u0BFhdzQV3TdfPq12pru6JEkb8oHA1Ib/meUmV:QeKduuf1+DEgprhh82Tirm
                                                                                                  MD5:5F1E3F3B071AB0D51AB45060D156AF17
                                                                                                  SHA1:2FFCC9CC689C7C3DA18DF015C4BCC880F185C800
                                                                                                  SHA-256:B628E895BFC38227DB258DB91959C6D55367877669944DA022A89469101D8BCF
                                                                                                  SHA-512:3EAAB54CD58350BADBE0F32B78BA7EA8EA50072AA159A3A36AD730116247D225C164CFCAFFE920C34D9287E55E68D933A92D4F7E7D3CEF9E8E3F185DAB629BC7
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.9...W...W...W.......W.......W.......W......W...V.O.W.....].W.?{)...W.......W.......W.Rich..W.........PE..L...5.#R............................p........0....@..........................`......F.....@...... ..........................,%..P....@..8....................P..........................................@............................................text............................... ..`.data........0......................@....rsrc...8....@......."..............@..@.reloc.......P.......(..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11776
                                                                                                  Entropy (8bit):4.886509604340361
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:reQH6MzhfmNHuhv9LIFJxGNIiTwnPXIXBY+CzASxvh1b7sAmIb/IeUmV:rezev9cGNIiTGOY9Dxvh1xUrm
                                                                                                  MD5:815848A1B7AA76DE38315A7C796165DE
                                                                                                  SHA1:131016320240F5760853BB0AE8ED34CE8865C4B5
                                                                                                  SHA-256:99FF169E6114BA53DDC6BFCDB08CF73CB1104E69EEDC2A13F39605A96CAA5367
                                                                                                  SHA-512:3A9453528FC5335AFF02717EE7271EBE253CF986FE71B7CE4BE4B060BE7EF625EA33877F98B2DEA54432A2F7625314A5B3DCF57518209E818EC03589257E69F6
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Kf................U.......C.0.....D.......S.....y...........n...y.........I.....(.........T.......Q.....Rich............PE..d...7.#R..........".................H.........@..............................p......|.....@.......... ......................................`$..P....P..8....@...............`..........................................................X............................text............................... ..`.data........0......................@....pdata.......@.......$..............@..@.rsrc...8....P.......&..............@..@.reloc..h....`.......,..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\install_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1416
                                                                                                  Entropy (8bit):5.221234341229966
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:VrY6t5UbhKRvV2ktXrTsIeZvEMtXrGrJKhrlXgpAY1u5lSuWJmiDUNLk32pNaf1E:5Y6qhKT2mvsIeZvEuarJKhpXo1moJmiI
                                                                                                  MD5:BECB66962164A387453E351769E665A4
                                                                                                  SHA1:D5651F9CE02E1D48E85A33DCAFB906F3DC575365
                                                                                                  SHA-256:294AE63315DCFCBA4F8BB30BC4098E6BF39281244BC215FE9EB8EA3B778CEC48
                                                                                                  SHA-512:03523212E1827635EB2573ABE2B1A3D66BA529990917B739AF6B2C6727223D2E99E4A353B21F2871FFBCA44D22623409EA1451CF0A0ADBED9C0E8DBB6E55C6CF
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:@echo off..SETLOCAL..%~d0..cd %~dp0....REM..REM detect the OS version..REM..for /f "tokens=4-7 delims=[.] " %%i in ('ver') do (if %%i==Version (set v=%%j) else (set v=%%i))..if %v% GEQ 10 (.. cd win10..) else (.. cd win7..)..set DEVCMD=rundll32 x86\my_setup.dll....REM..REM If OSBase/KairOS driver is previously installed, stop the installation...REM..sc query ddmgr..IF %ERRORLEVEL% EQU 0 (.. echo OSBase iDisplay driver detected! Try uninstall OSbase/KairOS iDisplay software... goto exit..)....REM..REM If older driver (lci_proxykmd) is previously installed, stop the installation...REM..sc query lci_proxykmd..IF %ERRORLEVEL% EQU 0 (.. echo Older display driver detected! Uninstall it first.. %DEVCMD% do_uninstall_lci_proxykmd .. timeout /t 1 /nobreak.. sc.exe delete lci_proxykmd....:wait_for_delete.. sc query lci_proxykmd.. if %ERRORLEVEL% EQU 0 (.. timeout /t 1 /nobreak.. goto wait_for_delete.. )..... timeout /t 1 /nobreak.... del %

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\install_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1414
                                                                                                  Entropy (8bit):5.220204645552163
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:VrY6t5UbhKdvV2ktXrTsIeZvEMtXrGrJKhrlXgpAY1u5lSuWJmiDUNLkQ2pNaf1E:5Y6qhK32mvsIeZvEuarJKhpXo1moJmiX
                                                                                                  MD5:B80450985E33B188398EF5475FE3A4BA
                                                                                                  SHA1:6699FE7C174A9A585E3559A16877B5555687F6F0
                                                                                                  SHA-256:760BC44295820C5AF7E2D5077CE05EED8E23B3EF344D5C6C48422818DDE78D41
                                                                                                  SHA-512:BA29A71114A86E10ACE80F5B039DB68F4FE3BFD5592ECC6511D9AA0235E75ACFA188909EE0453593EBEFDB33DB46D1272C98A44350ABB24810C52FDEE817853F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:@echo off..SETLOCAL..%~d0..cd %~dp0....REM..REM detect the OS version..REM..for /f "tokens=4-7 delims=[.] " %%i in ('ver') do (if %%i==Version (set v=%%j) else (set v=%%i))..if %v% GEQ 10 (.. cd win10..) else (.. cd win7..)..set DEVCMD=rundll32 x64\my_setup.dll....REM..REM If OSBase/KairOS driver is previously installed, stop the installation...REM..sc query ddmgr..IF %ERRORLEVEL% EQU 0 (.. echo OSBase iDisplay driver detected! Try uninstall OSbase/KairOS iDisplay software... goto exit..)....REM..REM If older driver (lci_proxykmd) is previously installed, stop the installation...REM..sc query lci_proxykmd..IF %ERRORLEVEL% EQU 0 (.. echo Older display driver detected! Uninstall it first.. %DEVCMD% do_uninstall_lci_proxykmd .. timeout /t 1 /nobreak.. sc.exe delete lci_proxykmd....:wait_for_delete.. sc query lci_proxykmd.. if %ERRORLEVEL% EQU 0 (.. timeout /t 1 /nobreak.. goto wait_for_delete.. )..... timeout /t 1 /nobreak.... del %

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\uninstall_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):805
                                                                                                  Entropy (8bit):5.339948574341861
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:V8pgfeV4BZAK/1AN6gizSnOf6DE6Z9wmhKRvVLymhMm0KuKDLGuKw61IfQHyoHHO:VSIBBY6t5UbhKRvV7e6LpIJHT5C
                                                                                                  MD5:704D1CC8E0B87710278CE3EFD1C17954
                                                                                                  SHA1:EDF2D7FED5D3D88A657732B37C72E4CDEE90D12D
                                                                                                  SHA-256:FAB1408C7DE4B76FA3AF7AD4C9F25DF2063C591CDFC46445999D31B4DB712208
                                                                                                  SHA-512:6061B9BB1A4D55FD916A44C8619356DC4ED40C284F91FC2114CD5974533F762F88B4E0C49A265E96AD1E122ACFBA947D02AA3B11E43115D247FA0868661BDC3B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:@echo off..SETLOCAL..%~d0..cd %~dp0....reg delete "HKLM\SOFTWARE\Splashtop Inc.\Splashtop Remote Server" /v "VirtualDisplay" /f....REM..REM detect the OS version..REM..for /f "tokens=4-7 delims=[.] " %%i in ('ver') do (if %%i==Version (set v=%%j) else (set v=%%i))..if %v% GEQ 10 (.. cd win10..) else (.. cd win7..)..set DEVCMD=rundll32 x86\my_setup.dll....echo removing LCI PROXY WDDM Device.......%DEVCMD% do_uninstall_lci_proxykmd..%DEVCMD% do_uninstall_lci_proxywddm....timeout /t 1 /nobreak..sc.exe delete lci_proxykmd..sc.exe delete lci_proxywddm....timeout /t 2 /nobreak..del %SystemRoot%\System32\lci_proxyumd.dll..del %SystemRoot%\System32\drivers\lci_proxykmd.sys..del %SystemRoot%\System32\drivers\lci_proxywddm.sys..del %SystemRoot%\System32\drivers\UMDF\lci_iddcx.dll....:exit..ENDLOCAL

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\uninstall_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):817
                                                                                                  Entropy (8bit):5.35613829912293
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:V8pgMyeV4BZAK/1AN6gizSnOf6DE6Z9wmhKdWiVLymhMm0KuKDLGuKw61IfQHyoO:VS3sBBY6t5UbhKdvV7e6LpIJHT5C
                                                                                                  MD5:319DCF0B017DAFA51C33A7489D123F91
                                                                                                  SHA1:60F8E32A2E7E05F2384D8B66E51F8FF1DE70AC10
                                                                                                  SHA-256:44A271D1DD10FFC85815DF277E708BE462CC5AFABC43BD0D7A9505E35A70E488
                                                                                                  SHA-512:EE6403E7069C1185F6F34A02DA2DE1FEC2F859E89523B769CF9EFDCAA2CD9E5AFA501ADC38169A86D86DA1570C789116A29C2485F87201CFD2A770EC447A55C3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:@echo off..SETLOCAL..%~d0..cd %~dp0....reg delete "HKLM\SOFTWARE\Wow6432Node\Splashtop Inc.\Splashtop Remote Server" /v "VirtualDisplay" /f....REM..REM detect the OS version..REM..for /f "tokens=4-7 delims=[.] " %%i in ('ver') do (if %%i==Version (set v=%%j) else (set v=%%i))..if %v% GEQ 10 (.. cd win10..) else (.. cd win7..)..set DEVCMD=rundll32 x64\my_setup.dll....echo removing LCI PROXY WDDM Device.......%DEVCMD% do_uninstall_lci_proxykmd..%DEVCMD% do_uninstall_lci_proxywddm....timeout /t 1 /nobreak..sc.exe delete lci_proxykmd..sc.exe delete lci_proxywddm....timeout /t 2 /nobreak..del %SystemRoot%\System32\lci_proxyumd.dll..del %SystemRoot%\System32\drivers\lci_proxykmd.sys..del %SystemRoot%\System32\drivers\lci_proxywddm.sys..del %SystemRoot%\System32\drivers\UMDF\lci_iddcx.dll....:exit..ENDLOCAL

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):85216
                                                                                                  Entropy (8bit):5.323561566613011
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:34rhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkApiKB:K+KY04RMmSCYmBiF4O7WTgKB
                                                                                                  MD5:CD483270630CCABBD1902C6B21FBE9D3
                                                                                                  SHA1:B33C3139DD83F108591383449D4F9136189D8F97
                                                                                                  SHA-256:49D6B913A4095A3E7B14554C91942BD5CDDDF9DCFDB076B31921592AFF1BC135
                                                                                                  SHA-512:DC92ED176DBB7CC27BE1FFF90F875B2582869465156BD70F363902524C716822FB9657AA944A6F02CB1E77271F3D24F8667F4A678F5BB5B5846AB18E455A731F
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P......F.....@...... ..........................lm..........p............0.......@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):89312
                                                                                                  Entropy (8bit):5.29323585141242
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:UP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7WsK6:UePOYe4bu1epDh8RWsK6
                                                                                                  MD5:07361279885BC0B334DDF5754CDB12FE
                                                                                                  SHA1:63A7320CD6992E2509EB1D82D550B1AA5FEA6A47
                                                                                                  SHA-256:96411A783BAA574421659E73B11F111A0EEB3D9B105CA55E29FE6C0B820646F7
                                                                                                  SHA-512:D07F5DFFEAD4470CAA935F6CD250DF9CA77A2D28C0B84112D83CE9ED7AC7A01CB012773FB290612E4DE45776BB919C395533AD3AD5497A3469BFE5B43FB5D1E8
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......Mz....@.......... ......................................X}..........p.......T....@.......`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\lci_iddcx.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10957
                                                                                                  Entropy (8bit):7.22853921730831
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:0gNqq6a1DUuvE7EwWZhYC/nnbXfH098uXqnajH/svHa:0gEy9Zh3/njXuXlTsPa
                                                                                                  MD5:62458E58313475C9A3642A392363E359
                                                                                                  SHA1:E63A3866F20E8C057933BA75D940E5FD2BF62BC6
                                                                                                  SHA-256:85620D87874F27D1AAF1743C0CA47E210C51D9AFD0C9381FC0CD8ACCA3854562
                                                                                                  SHA-512:49FB8CA58AECF97A6AB6B97DE7D367ACCB7C5BE76FBCD324AF4CE75EFE96642E8C488F273C0363250F7A5BCEA7F7055242D28FD4B1F130B68A1A5D9A078E7FAD
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0.*...*.H........*.0.*....1.0...`.H.e......0..=..+.....7......0..*0...+.....7......?~..S.N.j....J...181204081131Z0...+.....7.....0...0......e.Q.82....jG.8....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0>..+.....7...100....F.i.l.e........l.c.i._.i.d.d.c.x...i.n.f...0.... _...U...woq..2..:.V.kx........1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0>..+.....7...100....F.i.l.e........l.c.i._.i.d.d.c.x...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... _...U...woq..2..:.V.kx........0.... `...m..d..E.f|.R.o../.ziR&7.._..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0>..+.....7...100....F.i.l.e........l.c.i._.i.d.d.c.x...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... `...m..d..E.f|.R.o../.ziR&7.._..0....d}...))...3e...u...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0>..+.....7...100....F.i.l.e........l.c.i._.i.d.d.c.x...d.l.l...0..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\lci_iddcx.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4514
                                                                                                  Entropy (8bit):3.7887986776100973
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:9G2XN/WAXHQ+C2C4kqWDZXpbdl5Vjnijla4UAiI6fOgTiYqG585wg3Jp:9L5EDNRniWI6fyw5I
                                                                                                  MD5:1CEC22CA85E1B5A8615774FCA59A420B
                                                                                                  SHA1:049A651751EF38321A1088AF6A47C4380F9293FC
                                                                                                  SHA-256:60A018F46D17B7640FC34587667CD852A16FA8E82F957A69522637F22E5FE5CF
                                                                                                  SHA-512:0F24FE3914AEF080A0D109DF6CFAC548A880947FB85E7490F0D8FA174A606730B29DC8D2AE10525DBA4D1CA05AC9B190E4704629B86AC96867188DF4CA3168BB
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:..;.....;.M.o.d.u.l.e. .N.a.m.e.:.....;. . . . .l.c.i._.i.d.d.c.x...i.n.f.....;.....;.A.b.s.t.r.a.c.t.:.....;. . . . .I.N.F. .f.i.l.e. .f.o.r. .i.n.s.t.a.l.l.i.n.g. .t.h.e. .L.C.I. .I.D.D.C.X. .D.r.i.v.e.r.....;.........[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.i.n.d.o.w.s. .N.T.$.".....C.l.a.s.s.G.U.I.D. .=. .{.4.D.3.6.E.9.6.8.-.E.3.2.5.-.1.1.C.E.-.B.F.C.1.-.0.8.0.0.2.B.E.1.0.3.1.8.}.....C.l.a.s.s. .=. .D.i.s.p.l.a.y.....C.l.a.s.s.V.e.r. .=. .2...0.....P.r.o.v.i.d.e.r.=.%.L.C.I.%.....C.a.t.a.l.o.g.F.i.l.e.=.l.c.i._.i.d.d.c.x...c.a.t.....D.r.i.v.e.r.V.e.r.=.1.2./.0.4./.2.0.1.8.,.1...0...2.0.1.8...1.2.0.4.........[.D.e.s.t.i.n.a.t.i.o.n.D.i.r.s.].....D.e.f.a.u.l.t.D.e.s.t.D.i.r. .=. .1.2.....U.M.D.r.i.v.e.r.C.o.p.y.=.1.2.,.U.M.D.F. .;. .c.o.p.y. .t.o. .d.r.i.v.e.r.s.\.u.m.d.f.........[.S.o.u.r.c.e.D.i.s.k.s.N.a.m.e.s...x.8.6.].....1.=.%.D.I.S.K._.N.A.M.E.%.,.,.........[.S.o.u.r.c.e.D.i.s.k.s.N.a.m.e.s...a.m.d.6.4.].....1.=.%.D.I.S.K._.N.A.M.E.%.,.,.........[.S.o.u.r.c.e.D.i.s.k.s.

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\lci_proxywddm.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12585
                                                                                                  Entropy (8bit):7.124479508046628
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:M9yLPtUtkB7uIqhmbgE7EwWZhYCyZR/HsgKqnajVhY2c8evGd:gZO49Zh3e1MgKlxW2c8eed
                                                                                                  MD5:8E16D54F986DBE98812FD5EC04D434E8
                                                                                                  SHA1:8BF49FA8E12F801559CC2869365F0B184D7F93FE
                                                                                                  SHA-256:7C772FB24326E90D6E9C60A08495F32F7D5DEF1C52037D78CBD0436AD70549CD
                                                                                                  SHA-512:E1DA797044663AD6362641189FA78116CC4B8E611F9D33C89D6C562F981D5913920ACB12A4F7EF6C1871490563470E583910045378BDA5C7A13DB25F987E9029
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0.1%..*.H........1.0.1....1.0...`.H.e......0.....+.....7......0...0...+.....7.....tW...d#O...L<":4..181204083207Z0...+.....7.....0...0....!,..8.'T......\.b.\s1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0F..+.....7...1806...F.i.l.e.......$l.c.i._.p.r.o.x.y.w.d.d.m...s.y.s...0....;~.Y&h.L..@.ds. .A..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0D..+.....7...1604...F.i.l.e......."l.c.i._.p.r.o.x.y.u.m.d...d.l.l...0.... \...s .p.mI^1:.M5KEO4..?l......1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0D..+.....7...1604...F.i.l.e......."l.c.i._.p.r.o.x.y.u.m.d...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... \...s .p.mI^1:.M5KEO4..?l......0.... \...s .p.mI^1:.M5KEO4..?l......1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0H..+.....7...1:08...F.i.l.e.......&l.c.i._.p.r.o.x.y.u.m.d.3.2...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e.....

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\lci_proxywddm.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2715
                                                                                                  Entropy (8bit):5.41680725095282
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:qnchtOKbzLbS10bzPbSvb/mwwophwwoJOxWqrz61/zA9cjiJIjgW5FH1519HS4Bc:Pkua1YuSnEhn/A7ic4d4y
                                                                                                  MD5:0315A579F5AFE989154CB7C6A6376B05
                                                                                                  SHA1:E352FF670358CF71E0194918DFE47981E9CCBB88
                                                                                                  SHA-256:D10FA136D6AE9A15216202E4DD9F787B3A148213569E438DA3BF82B618D8001D
                                                                                                  SHA-512:C7CE8278BC5EE8F8B4738EF8BB2C0A96398B40DC65EEA1C28688E772AE0F873624311146F4F4EC8971C91DF57983D2D8CDBEC1FE98EAA7F9D15A2C159D80E0AF
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:;..;..;Module Name:..;..; lci_proxywddm.inf..;..;Abstract:..; LuminonCore Display Proxy Driver..;..;..[Version]..Signature="$WINDOWS NT$"..Class=System..ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318}..Provider=%LCI%..DriverVer=12/04/2018,1.0.2018.1204..CatalogFile=lci_proxywddm.cat....[DestinationDirs]..DefaultDestDir = 12..lci_proxywddm.CopyFiles = 12 ; drivers..lci_proxyumd.CopyFiles = 11 ; system32..lci_proxyumdwow.CopyFiles = 10, SysWow64 ; x64-specific....[SourceDisksNames.x86]..1=%DiskId1%, lci_proxywddm.sys,,\x86..1=%DiskId1%, lci_proxyumd.dll,,\x86....[SourceDisksNames.amd64]..1=%DiskId1%, lci_proxywddm.sys,,\x64..1=%DiskId1%, lci_proxyumd.dll,,\x64..1=%DiskId1%, lci_proxyumd32.dll,,\x64....[SourceDisksFiles.x86]..lci_proxywddm.sys = 1..lci_proxyumd.dll = 1....[SourceDisksFiles.amd64]..lci_proxywddm.sys = 1..lci_proxyumd.dll = 1..lci_proxyumd32.dll = 1......;*****************************************

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_iddcx.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):53752
                                                                                                  Entropy (8bit):6.555505359489877
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:q4+LP4B5MAHFQq4OSGtGkVPKLIy0uwc0yeuUjsVbGVjp3haxZ3vOoKn:q4+LS5XYOSk1Kky0uww6s5mN3haxZI
                                                                                                  MD5:01E8BC64139D6B74467330B11331858D
                                                                                                  SHA1:B6421A1D92A791B4D4548AB84F7140F4FC4EB829
                                                                                                  SHA-256:148359A84C637D05C20A58F5038D8B2C5390F99A5A229BE8ECCBB5F85E969438
                                                                                                  SHA-512:4099E8038D65D95D3F00FD32EBA012F55AE16D0DA3828E5D689EF32E20352FDFCC278CD6F78536DC7F28FB97D07185E654FE6EEE610822EA8D9E9D5AF696DFF5
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........N.9./.j./.j./.j.q.k./.j.q.k./.j.q.k./.j.r.k./.j.WQj./.j.r.k./.j./.j./.j'.7j./.j'.3j./.j'.0j./.j.r.k./.j.q.k./.j.q.k./.j.q.k./.j.q=j./.j.q.k./.jRich./.j........................PE..d....%.\.........." .....X...@......@T....................................................`.........................................P...P................................?.......... ...8...........................`................p...............................text....V.......X.................. ..`.rdata...%...p...&...\..............@..@.data...0...........................@....pdata..............................@..@.gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):184016
                                                                                                  Entropy (8bit):6.2322376663017
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:uSNRRE5JX6GkYj9i/hXJTqHDh3ibNrg4WhC8MFMbgGYgITUP4uvo4B:uS6Pb5KnT2dSNsC+gGx62v/
                                                                                                  MD5:4DC11547A5FC28CA8F6965FA21573481
                                                                                                  SHA1:D531B0D8D2F8D49D81A4C17FBAF3BC294845362C
                                                                                                  SHA-256:E9DB5CD21C8D709A47FC0CFB2C6CA3BB76A3ED8218BED5DC37948B3F9C7BD99D
                                                                                                  SHA-512:BD0F0A3BBC598480A9B678AA1B35728B2380BF57B195B0249936D0EAAA014F219031A563F486871099BF1C78CCC758F6B25B97CFC5296A73FC60B6CAFF9877F6
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Vj..7.R.7.R.7.R.j.S.7.R.j.S.7.R.i.S.7.R.i.S.7.R.i.S.7.R.j.S.7.R.7.R.7.R.j.S.7.RMi.S.7.RMi.S.7.RMi.S.7.RHi.R.7.RMi.S.7.RRich.7.R........PE..d....%.\.........." .....r...*............................................................`.........................................`M.......M..<................(.......@...........:..8...........................@:..................X............................text...`q.......r.................. ..`.rdata...............v..............@..@.data........`.......>..............@....pdata...(.......*...J..............@..@.gfids...............t..............@..@.rsrc................v..............@..@.reloc...............z..............@..B................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd32.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):138960
                                                                                                  Entropy (8bit):6.622950914796068
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:Pi+6wKkplcu1L3/xFxqFYOA555ZRlremv59jYqN:6+9cu1oF/AnqqN
                                                                                                  MD5:67AE7B2C36C9C70086B9D41B4515B0A8
                                                                                                  SHA1:BA735D6A338C8FDFA61C98F328B97BF3E8E48B8B
                                                                                                  SHA-256:79876F242B79269FE0FE3516F2BDB0A1922C86D820CE1DD98500B385511DAC69
                                                                                                  SHA-512:4D8320440F3472EE0E9BD489DA749A738370970DE07B0920B535642723C92DE848F4B3D7F898689C817145CE7B08F65128ABE91D816827AEB7E5E193D7027078
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v.X.v.X.v.X.+.Y.v.X.+.Y.v.X.(.Y.v.X.(.Y.v.X.(.Y.v.X.+.Y.v.X.v.X.v.X.+.Y.v.Xu(.Y.v.Xu(.Y.v.Xu(.Y.v.Xp(;X.v.Xu(.Y.v.XRich.v.X................PE..L....%.\...........!.....6..................P...............................0.......4....@.....................................<........................@..............8..............................@............P..$............................text....4.......6.................. ..`.rdata..Rw...P...x...:..............@..@.data...t...........................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxywddm.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):122576
                                                                                                  Entropy (8bit):6.535740565012407
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:dfSVevFp3FKtVy8ka9N9UOUNFZWEw+1M4hyFi:BSYNpkUOUrgxeMlo
                                                                                                  MD5:B9B0E9B4D93B18B99ECE31A819D71D00
                                                                                                  SHA1:2BE1AD570F3CCB2E6F2E2B16D1E0002CA4EC8D9E
                                                                                                  SHA-256:0F1C64C0FA08FE45BEAC15DC675D3B956525B8F198E92E0CCAC21D2A70CE42CF
                                                                                                  SHA-512:465E389806F3B87A544AB8B0B7B49864FEEBA2EEEF4FB51628D40175573ED1BA00B26D6A2ABEBC74C31369194206ED31D32C68471DDDCF817FDD2D26E3DA7A53
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C^./.?.|.?.|.?.|jb.}.?.|.?.|d?.|jb.}.?.|jb.}.?.|jb.}.?.|.a.}x?.|.a7|.?.|.a.}.?.|Rich.?.|........PE..d....%.\.........."......N...N......,..........@................................................................................................(............@...........@......L.......8............................................................................text............................... ..h.rdata..l,..........................@..H.data........0......................@....pdata.......@......."..............@..H.gfids.......P.......2..............@..HPAGE.....R...`...T...4.............. ..`INIT................................ ..b.rsrc...............................@..B.reloc..L...........................@..B........................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\my_setup.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):23528
                                                                                                  Entropy (8bit):6.370136009210867
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:6kV9C2/s2Abnkr+YcSIVO67k5hVAi59RKzOqUIUz8JN77hhM/l:vP0bE+YHIO67kLZVj83ha/l
                                                                                                  MD5:D53AD812F1146CDDEA6A89806CC2439A
                                                                                                  SHA1:5102973DF29B7E70AD8845D3B5FA36DBEF294D56
                                                                                                  SHA-256:009DFAD5DEA03EA0C0B963EEA9CDCDB78668C8B35C19E2B92311D8703F00D6D2
                                                                                                  SHA-512:38C2BFF7125F5BFD51A5D4D49D3C68BBCF9065057686AF8CAF7C3025BAE27CDFF4928BFB37C26A6ABAA750C699B99619E874CDD5EEF79F0E4010BB9ACCE56085
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;..D.|...|...|..v...~|...|..B|..v...r|..v...t|..v...~|..v...~|..v...~|..Rich.|..........PE..d....%.\.........." .....6...........1...............................................Q....@.........................................pC.......;...............`.......@.......p..0... ................................................................................text....4.......6.................. ..`.data...@....P.......:..............@....pdata.......`.......<..............@..@.reloc..Z....p.......>..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_iddcx.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):48640
                                                                                                  Entropy (8bit):6.8164297445194135
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:xbWmecDs6zvVt94VbJqvhkqskgSjySwigs2K5m6Vj83h57zZ3ao:xbM6JX0Jq5kNGUsn5maI3h57zZ
                                                                                                  MD5:6A0CCBFF305B23A4BAE471025EC28D52
                                                                                                  SHA1:02519EC7FCC88969621B6DC7F1294DA4EA6EA611
                                                                                                  SHA-256:6659E90D80A2FA0CF9F6CE40E511D8763664E78820F27081935AC1BFD4723A19
                                                                                                  SHA-512:4D357E3E9B19E2C18D1D3A1E6916C542243D6FF24D783A526B9E1C1605C328CD079A77AEE38DFF19BEC66E584CFDB4DF910CF98DF668D1EB2E825E2D36F816F2
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$................................................A................x)'....x) ..........[......[......[......^.-....[......Rich...................PE..L....%.\...........!.....N...2.......E.......`......................................}.....@..........................p..T....q.......................~...@..........0l..8...........................hl...............`..H............................text...;L.......N.................. ..`.rdata..\....`.......R..............@..@.data................n..............@....gfids...............p..............@..@.rsrc................r..............@..@.reloc...............v..............@..B................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxyumd.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):138984
                                                                                                  Entropy (8bit):6.623789818078503
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:0i+6wKkplcu1L3/xFxqFYOA555ZRlremv59jY3v:7+9cu1oF/Anq3v
                                                                                                  MD5:4276EDDE541ED3F488FA26778BDBB0D9
                                                                                                  SHA1:16E06CA60A9F8BCA515D193DFD28B120446BC178
                                                                                                  SHA-256:617F731B8F55F1AC23E47FE3C7CFD1110F198A5A9EB207FC485F739808446808
                                                                                                  SHA-512:280D6C3A85B26B4EE57534D33F035063B1DD56BA3671B48700833E4A61BEF1805C86316888AA5D8645603CA655F4172311B20C98533058823734C276A3CEA66B
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v.X.v.X.v.X.+.Y.v.X.+.Y.v.X.(.Y.v.X.(.Y.v.X.(.Y.v.X.+.Y.v.X.v.X.v.X.+.Y.v.Xu(.Y.v.Xu(.Y.v.Xu(.Y.v.Xp(;X.v.Xu(.Y.v.XRich.v.X................PE..L....%.\...........!.....6..................P...............................0.......|....@.....................................<........................@..............8..............................@............P..$............................text....4.......6.................. ..`.rdata..Rw...P...x...:..............@..@.data...t...........................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxyumd32.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):138960
                                                                                                  Entropy (8bit):6.623166316895491
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:3i+6wKkplcu1L3/xFxqFYOA555ZRlremv59jYWB:S+9cu1oF/AnqWB
                                                                                                  MD5:7CC448724952FA3B42A7B16DCBD4B50B
                                                                                                  SHA1:65CC211E57AE073EA89B188B66D3D473B403DEF5
                                                                                                  SHA-256:D90F351153CA9A51ECC24575B6A586A9A01AF24BD84F552F8305201260EE486A
                                                                                                  SHA-512:1C8F6034B4BA71C5D4508263DEDB00098C583F7EA4F39AE281E680C8DDA3583A0FE7FD00DD601E652CA0D301D29800AD13FC102038D4A836F99D44E331D3B2FD
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v.X.v.X.v.X.+.Y.v.X.+.Y.v.X.(.Y.v.X.(.Y.v.X.(.Y.v.X.+.Y.v.X.v.X.v.X.+.Y.v.Xu(.Y.v.Xu(.Y.v.Xu(.Y.v.Xp(;X.v.Xu(.Y.v.XRich.v.X................PE..L....%.\...........!.....6..................P...............................0............@.....................................<........................@..............8..............................@............P..$............................text....4.......6.................. ..`.rdata..Rw...P...x...:..............@..@.data...t...........................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxywddm.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):95464
                                                                                                  Entropy (8bit):6.7987777090492445
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:nbZYULZ73iO/kwji3FWx+FJ4gwgDNSV2U5ANaudsJvdjsCIrqhZxu3hUlZNO:nHL53D/djPxaJ4gGQU5ANaudsjg9+hZk
                                                                                                  MD5:21E18A96C9A2E6F0838DA7BBD272CE21
                                                                                                  SHA1:C940F5069CE95083865D2D985682D51296B81257
                                                                                                  SHA-256:6CA7A9B8F2600181A4D47FA7090FF37E412687E7EA64BA5CAC4319277BE60C74
                                                                                                  SHA-512:1819469664C0DDE5ADFDA140313C32F9874301E103FF74E95AC684BAB71D06668299B8092564993727DF380E276B2400C1E1025D9527F637826BFCDFC9D78E66
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................................................8......=.=....8......Rich....................PE..L....%.\.....................*.......@............@..........................p......`.......................................4A..<....P...............4...@...`..x... ...8...........................X...@............................................text...|........................... ..h.rdata..D...........................@..H.data...............................@...PAGE.....?.......@.................. ..`INIT....r....@...................... ..b.rsrc........P.......$..............@..B.reloc..x....`.......(..............@..B................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\my_setup.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20968
                                                                                                  Entropy (8bit):6.629648031240336
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:uMuUBfWPmqKebW1j2zAAHOOntqVuvTRKzOqUAY8JN77hhecs:JHqKyWMvUutVjO3hob
                                                                                                  MD5:955C309947C5CAEFFB429DBF12DC13A1
                                                                                                  SHA1:5079A801E91F9ACBE996FBCAE6D402B7E5FC72D9
                                                                                                  SHA-256:59BBC2EBBA9CD056FBA8B80FC0E5DA9540D6E50F419216A1BB2A4B3E95AFB480
                                                                                                  SHA-512:BD4BBE228378466AD50F2B734438DDBD4FE8F6C7C3B573080834321C99E748512BE8511A927D4FD8B00635D320BEF7B245E05F174988F283B4339E1F8CED1BCE
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=5.:yT.iyT.iyT.ip,QixT.iyT.iET.ip,WitT.ip,VixT.ip,GitT.ip,UixT.iRichyT.i........................PE..L....%.\...........!.....,..........-/.......@...............................`.......y....@......................... :......|3.......................6.......P..4...................................(...@............................................text....*.......,.................. ..`.data........@.......0..............@....reloc.......P.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\lci_iddcx.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10660
                                                                                                  Entropy (8bit):7.072232435699263
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:2vBYcjEdZubhLtaSu9sZscF8Bd1LUEduasnZH5:B0+ZKoqZsHLUHPnh5
                                                                                                  MD5:CCC20AC60F19430FBFDA6D49F164654C
                                                                                                  SHA1:425253D81B930175321A9B54AB4B6D736D6AF8A2
                                                                                                  SHA-256:D96B2FBFDD9245EA1D46994183917340912FE9A07AC569B4F70AD51123E55EDB
                                                                                                  SHA-512:F9B9AB9DCF0286F2A5635DD8BE1DF5F7718017EC580B46A217EC4B77615F7D7F0FEF4484886884A912172BF8F6C16252AD5E982205AACAB73152F65A67951475
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0.)...*.H........).0.)....1.0...`.H.e......0..M..+.....7.....>0..:0...+.....7..........Q.E..\>.i+...171023021614Z0...+.....7.....0...0....R5.3.3.7.3.F.4.5.5.C.1.1.5.0.1.F.5.3.6.B.3.1.E.4.3.E.0.4.0.D.4.C.C.6.A.8.2.0.3.4...1..K0>..+.....7...100....F.i.l.e........l.c.i._.i.d.d.c.x...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+........S7?E\.P.Sk1.>..L. 40V..+.....7...1H0F...O.S.A.t.t.r.......02.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.6...4...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RB.5.5.0.5.C.6.8.0.6.1.6.0.4.1.9.C.1.F.7.1.F.4.A.8.0.8.4.4.C.A.8.5.9.D.3.9.9.F.8...1..K0>..+.....7...100....F.i.l.e........l.c.i._.i.d.d.c.x...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+.........P\h.......J..L.Y..0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.6...4...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RF.2.E.E.E.C.2.3

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\lci_iddcx.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4514
                                                                                                  Entropy (8bit):3.7907010583152645
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:9G2XNDctEXHQ+C2C4kqWDZXpbdl5Vjnijla4UAiI6fOgTiYqG585wg3Jp:9XcWEDNRniWI6fyw5I
                                                                                                  MD5:9CF8CFC1E0815F7D72D136DE87B08EEA
                                                                                                  SHA1:F2EEEC23EC55758E5072619B62E6851234FA6D3C
                                                                                                  SHA-256:9CA9C7A430D0B608F1A6ADDD9E2C17BF79845783356CE6230ECA1942A061B157
                                                                                                  SHA-512:6D3FEE674C83B1E68CAE7F079F74A70931D432751420300DB77DB2B237A88D81AC3CD8B4B82532DCDDEE5D1DBEF3077ACD97B5890DFA0A497B97D7594E3C15F9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:..;.....;.M.o.d.u.l.e. .N.a.m.e.:.....;. . . . .l.c.i._.i.d.d.c.x...i.n.f.....;.....;.A.b.s.t.r.a.c.t.:.....;. . . . .I.N.F. .f.i.l.e. .f.o.r. .i.n.s.t.a.l.l.i.n.g. .t.h.e. .L.C.I. .I.D.D.C.X. .D.r.i.v.e.r.....;.........[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.i.n.d.o.w.s. .N.T.$.".....C.l.a.s.s.G.U.I.D. .=. .{.4.D.3.6.E.9.6.8.-.E.3.2.5.-.1.1.C.E.-.B.F.C.1.-.0.8.0.0.2.B.E.1.0.3.1.8.}.....C.l.a.s.s. .=. .D.i.s.p.l.a.y.....C.l.a.s.s.V.e.r. .=. .2...0.....P.r.o.v.i.d.e.r.=.%.L.C.I.%.....C.a.t.a.l.o.g.F.i.l.e.=.l.c.i._.i.d.d.c.x...c.a.t.....D.r.i.v.e.r.V.e.r.=.1.0./.2.3./.2.0.1.7.,.1...0...2.0.1.7...1.0.2.3.........[.D.e.s.t.i.n.a.t.i.o.n.D.i.r.s.].....D.e.f.a.u.l.t.D.e.s.t.D.i.r. .=. .1.2.....U.M.D.r.i.v.e.r.C.o.p.y.=.1.2.,.U.M.D.F. .;. .c.o.p.y. .t.o. .d.r.i.v.e.r.s.\.u.m.d.f.........[.S.o.u.r.c.e.D.i.s.k.s.N.a.m.e.s...x.8.6.].....1.=.%.D.I.S.K._.N.A.M.E.%.,.,.........[.S.o.u.r.c.e.D.i.s.k.s.N.a.m.e.s...a.m.d.6.4.].....1.=.%.D.I.S.K._.N.A.M.E.%.,.,.........[.S.o.u.r.c.e.D.i.s.k.s.

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\lci_proxywddm.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11975
                                                                                                  Entropy (8bit):6.929505838705397
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:qRVW/ujEdZubhLtaSu9sZscF8Bd1LUY6uasnZHou49L:k+ZKoqZsHLUcPnhou4t
                                                                                                  MD5:186504237027590F25BEA0EC539256C8
                                                                                                  SHA1:A74309D7CFA8EF410EC85D3801D27291E8BC915A
                                                                                                  SHA-256:4CBD88D04F9C3B3DE3625B25049EA6B7C1614FFEA8730667BFF01DD210415ED1
                                                                                                  SHA-512:9D4B89A95DBF8D0ABFC55AE44C9CBFB29EB64AB1FFFBB81FFAB4308ED4CFD040F9A883B2B7B7A375B1675DD08532378C38410F4DB737FBDA2913EB28DE18A933
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0.....*.H..........0......1.0...`.H.e......0..p..+.....7.....a0..]0...+.....7........6Q..G...Z-.....171023021614Z0...+.....7.....0...0....R3.3.1.5.E.7.A.8.9.7.B.E.4.1.D.7.B.F.9.6.3.D.7.3.4.B.9.E.D.3.4.A.B.4.2.8.B.3.4.3...1..S0F..+.....7...1806...F.i.l.e.......$l.c.i._.p.r.o.x.y.w.d.d.m...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+........3...A..=sK..J.(.C0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.6...4...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R7.1.F.E.C.F.B.D.C.E.6.5.6.6.2.5.C.6.1.8.C.1.4.4.2.3.4.D.6.E.B.9.4.3.9.B.A.C.E.2...1..Q0D..+.....7...1604...F.i.l.e......."l.c.i._.p.r.o.x.y.u.m.d...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+........q...ef%...D#Mn.C...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.6...4...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R7

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\lci_proxywddm.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2715
                                                                                                  Entropy (8bit):5.418922446200014
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:qnch1OKbzLbS10bzPbSvb/mwwophwwoJOxWqrz61/zA9cjiJIjgW5FH1519HS4Bc:Pcua1YuSnEhn/A7ic4d4y
                                                                                                  MD5:07DC873615C74141FB8A646F6FE1D378
                                                                                                  SHA1:7E2D32A5ACE72B7F3919215B707096B52CC3B5EC
                                                                                                  SHA-256:F97F4A79BF9ACB0D7FFB257CB3E16687F6281B8687C79361B680764F3427EF61
                                                                                                  SHA-512:8D59EBD58BFCDBD0115C22148DDFB1DE73E3D0C2AA42B2772B75F12D76BFA4FC3E8356346F0BE9B8F5631443FBCCCFD63354235E701A966CE104BDDC9A4987AD
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:;..;..;Module Name:..;..; lci_proxywddm.inf..;..;Abstract:..; LuminonCore Display Proxy Driver..;..;..[Version]..Signature="$WINDOWS NT$"..Class=System..ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318}..Provider=%LCI%..DriverVer=10/23/2017,1.0.2017.1023..CatalogFile=lci_proxywddm.cat....[DestinationDirs]..DefaultDestDir = 12..lci_proxywddm.CopyFiles = 12 ; drivers..lci_proxyumd.CopyFiles = 11 ; system32..lci_proxyumdwow.CopyFiles = 10, SysWow64 ; x64-specific....[SourceDisksNames.x86]..1=%DiskId1%, lci_proxywddm.sys,,\x86..1=%DiskId1%, lci_proxyumd.dll,,\x86....[SourceDisksNames.amd64]..1=%DiskId1%, lci_proxywddm.sys,,\x64..1=%DiskId1%, lci_proxyumd.dll,,\x64..1=%DiskId1%, lci_proxyumd32.dll,,\x64....[SourceDisksFiles.x86]..lci_proxywddm.sys = 1..lci_proxyumd.dll = 1....[SourceDisksFiles.amd64]..lci_proxywddm.sys = 1..lci_proxyumd.dll = 1..lci_proxyumd32.dll = 1......;*****************************************

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_iddcx.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):46528
                                                                                                  Entropy (8bit):6.272518240848504
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:ql+LPDB5MAHFg6IWSG1ucVPajIyouwc09euwjsV3xnxhc:ql+Lt5X4WSM1a8youwzOsVxA
                                                                                                  MD5:F018A1846A12B5DFF4A5FB0343745BBA
                                                                                                  SHA1:C8E871A51E43B5E71A4D1ACA0A791B375CABAC86
                                                                                                  SHA-256:3E5D8C95805CAECFC1BF5F689F036D1831E375E573F2B0BFFA4BBB59EA36B853
                                                                                                  SHA-512:7DECEBD14950548436EB110F93A5951ABE42B6CACF8A041F77DFCE923FFB28B6B399EC3166F0D64A1B098F9671F73E43D020977D7EC093F7B786038C4A05C3B8
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........N.9./.j./.j./.j.q.k./.j.q.k./.j.q.k./.j.r.k./.j.WQj./.j.r.k./.j./.j./.j'.7j./.j'.3j./.j'.0j./.j.r.k./.j.q.k./.j.q.k./.j.q.k./.j.q=j./.j.q.k./.jRich./.j........................PE..d....P.Y.........." .....X...@......@T....................................................`.........................................P...P................................#.......... ...8...........................`................p...............................text....V.......X.................. ..`.rdata...%...p...&...\..............@..@.data...0...........................@....pdata..............................@..@.gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):176576
                                                                                                  Entropy (8bit):6.124833448410162
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:WSNRRE5R1pHa9i/hXYTqHDh3ikNrgfxhxe74bgGY53Urb7:WS67jsKCT2d1NsDgGY5387
                                                                                                  MD5:37CF508FA1EB389ED85F822BAF9EF9B9
                                                                                                  SHA1:1720BEFADBD467FD715CE301545BC1FF02DB4681
                                                                                                  SHA-256:FA4CAC0B0361D85CE6220809FA85DFE3B295A187A7B58DD5FE5B06A7CE19F7FA
                                                                                                  SHA-512:B90CD035F83245EEDC1FC09ADEDFAC341411CFC47D130B891B2CC83B908F9F683DFFB140AA61F11B7BD15C8A5725070A92659CC567FA58F5879A1790B56833F5
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Vj..7.R.7.R.7.R.j.S.7.R.j.S.7.R.i.S.7.R.i.S.7.R.i.S.7.R.j.S.7.R.7.R.7.R.j.S.7.RMi.S.7.RMi.S.7.RMi.S.7.RHi.R.7.RMi.S.7.RRich.7.R........PE..d....P.Y.........." .....r...*.......................................................F....`.........................................`M.......M..<................(.......#...........:..8...........................@:..................X............................text...`q.......r.................. ..`.rdata...............v..............@..@.data........`.......>..............@....pdata...(.......*...J..............@..@.gfids...............t..............@..@.rsrc................v..............@..@.reloc...............z..............@..B................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd32.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):131520
                                                                                                  Entropy (8bit):6.5166932980708925
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:Si+6w0ko6NDV3yLa/xzmqFq6/5GWRlrjmLS9jYIo3:h+xNDVCYFB/vqIo3
                                                                                                  MD5:A9D5E6605391A4CE7E3699D5C39BA851
                                                                                                  SHA1:54950896563D61917A4A61949E8B3552BC85A061
                                                                                                  SHA-256:EA06D1A20DDDBF33AA776DE2036651F5B2A2AFF9503A2D7174C11000F92D0396
                                                                                                  SHA-512:91FB4793621E8FDE6E62074F8545C4AFB636DBFAF3C236E803325DEE7B2CB33F5F1B183D565D11195912CF6DC2BBDA8F472D844AD8AF5C7738EFCB702D71BB59
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v.X.v.X.v.X.+.Y.v.X.+.Y.v.X.(.Y.v.X.(.Y.v.X.(.Y.v.X.+.Y.v.X.v.X.v.X.+.Y.v.Xu(.Y.v.Xu(.Y.v.Xu(.Y.v.Xp(;X.v.Xu(.Y.v.XRich.v.X................PE..L....P.Y...........!.....6..................P...............................0.......Z....@.....................................<........................#..............8..............................@............P..$............................text....4.......6.................. ..`.rdata..Rw...P...x...:..............@..@.data...t...........................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxywddm.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):115136
                                                                                                  Entropy (8bit):6.395746141588922
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:7d+TsLFRVW08y8ka9xh+V3Un7C8PcYNzAR2k:R+wpCh+Vk7LPcWE0k
                                                                                                  MD5:91F0E25E7EDF20F4B262A5419CDF73F2
                                                                                                  SHA1:3D09164F4298A0EB1EEC978C1D3CA8259AABA326
                                                                                                  SHA-256:D9EF2E7A55DE74FFB18CFD2CD875089B81416B636CB6BD73A6DAFDDD5E3E0BF4
                                                                                                  SHA-512:2F4076F08EA9F3960A374F872AA547581811B4D1D225978F4FDFB5E42EF6FE79C491A53B33F7DD1E2B71BE6A281EFE29E7BF8ECFFD660D101F456AC4D456FA75
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C^./.?.|.?.|.?.|jb.}.?.|.?.|d?.|jb.}.?.|jb.}.?.|jb.}.?.|.a.}x?.|.a7|.?.|.a.}.?.|Rich.?.|........PE..d....P.Y.........."......N...N......,..........@................................................................................................(............@...........#......L.......8............................................................................text............................... ..h.rdata..d,..........................@..H.data........0......................@....pdata.......@......."..............@..H.gfids.......P.......2..............@..HPAGE.....R...`...T...4.............. ..`INIT................................ ..b.rsrc...............................@..B.reloc..L...........................@..B........................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\my_setup.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25536
                                                                                                  Entropy (8bit):6.407648101166343
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:FkVsC2/s2Abnkr+YcSIVO67k5hVEi4ZKoqZsHLErHPnhk:nP0bE+YHIO67kLcn2/hk
                                                                                                  MD5:1FB5DE2628ECB1E835B18FDA9EB0CF29
                                                                                                  SHA1:560AD3A8FC97187403754FBE2F3DBA056948B6CA
                                                                                                  SHA-256:D1ADED22243AAF4B8727B064073B9CB1C33214DA01E76D08E69996E52E774538
                                                                                                  SHA-512:E51BD203950E4D5DF2E26E59D90D8DC7E0B2D767C58688D2CBAB0BFD5ED5C884A72E029A737FCF1E04C908D7404645EDEC609A2E7C42E6BDCA1CDD04AB2169CC
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;..D.|...|...|..v...~|...|..B|..v...r|..v...t|..v...~|..v...~|..v...~|..Rich.|..........PE..d....P.Y.........." .....6...........1....................................................@.........................................pC.......;...............`.......@...#...p..0... ................................................................................text....4.......6.................. ..`.data...@....P.......:..............@....pdata.......`.......<..............@..@.reloc..Z....p.......>..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_iddcx.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):41408
                                                                                                  Entropy (8bit):6.573292469340805
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:jbWmecDs6zvVt94VbJqvhkqskgSjyzFigs2Ktmen4hI:jbM6JX0Jq5kNGcsntmer
                                                                                                  MD5:33C12C6F8271195C79B755388642FF77
                                                                                                  SHA1:ABF3438FC7FF738BF3D030AE68BB16CBF4848462
                                                                                                  SHA-256:086E922B53D801F63043D067A185893E5CD6341394B0E8C253D08D85D14B60A5
                                                                                                  SHA-512:13B8EEDF0E98476E40DAB4059C6E91C591FA1DD21844151916CA70E1440FE22FA211D53E766D37DF0E494739C7881AF340731FCCAFAE73CAF81733D9FC1E1E88
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$................................................A................x)'....x) ..........[......[......[......^.-....[......Rich...................PE..L....P.Y...........!.....N...2.......E.......`......................................%.....@..........................p..T....q.......................~...#..........0l..8...........................hl...............`..H............................text...;L.......N.................. ..`.rdata..\....`.......R..............@..@.data................n..............@....gfids...............p..............@..@.rsrc................r..............@..@.reloc...............v..............@..B................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):131520
                                                                                                  Entropy (8bit):6.516896540085767
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:/i+6w0ko6NDV3yLa/xzmqFq6/5GWRlrjmLS9jYIo8:K+xNDVCYFB/vqIo8
                                                                                                  MD5:F67D8A541D407C6886D6358248014B8E
                                                                                                  SHA1:9E17CD44ABBE3B30E0B52FBC5A6012BEA2CFCE61
                                                                                                  SHA-256:919ACBEDDCBFE27D12EE44ECD38044D880A68622D7BC412FF81B089746C79E5F
                                                                                                  SHA-512:674D9427B3F62382AD56EA647FD131CFF2E78CF31D5E7F608191390E752C382946C4CADB26B556F670C8C4A1C9245D1857841527C755BC505295224C4256C495
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v.X.v.X.v.X.+.Y.v.X.+.Y.v.X.(.Y.v.X.(.Y.v.X.(.Y.v.X.+.Y.v.X.v.X.v.X.+.Y.v.Xu(.Y.v.Xu(.Y.v.Xu(.Y.v.Xp(;X.v.Xu(.Y.v.XRich.v.X................PE..L....P.Y...........!.....6..................P...............................0............@.....................................<........................#..............8..............................@............P..$............................text....4.......6.................. ..`.rdata..Rw...P...x...:..............@..@.data...t...........................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd32.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):131520
                                                                                                  Entropy (8bit):6.517207826538128
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:Bi+6w0ko6NDV3yLa/xzmqFq6/5GWRlrjmLS9jYIod:s+xNDVCYFB/vqIod
                                                                                                  MD5:66541304390931345318FA3802797820
                                                                                                  SHA1:11B3116900D0BB1D9F49E39788C4C21A6B82954E
                                                                                                  SHA-256:B9CB315AD55CAD2147AAEBDCCC02055868DAF3EFD9F25384E50E80CE81EC018E
                                                                                                  SHA-512:852EF5A95F5827E8BCBC437371FFE6B3959AD41F319721E14804BD143E1597753F0DE4DA86864098F11B4F0698831529054D07B3650AECE83DAB2E5A7C51AE2A
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v.X.v.X.v.X.+.Y.v.X.+.Y.v.X.(.Y.v.X.(.Y.v.X.(.Y.v.X.+.Y.v.X.v.X.v.X.+.Y.v.Xu(.Y.v.Xu(.Y.v.Xu(.Y.v.Xp(;X.v.Xu(.Y.v.XRich.v.X................PE..L....P.Y...........!.....6..................P...............................0......."....@.....................................<........................#..............8..............................@............P..$............................text....4.......6.................. ..`.rdata..Rw...P...x...:..............@..@.data...t...........................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxywddm.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):88000
                                                                                                  Entropy (8bit):6.656236620722421
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:1++m+LZZ3SFkKjrZFWUwTK4gCQ7fBr8UQ6SIDXvjeIg6NhUA0d:1LL73SFHjOUaK4gNoUQ6SE7hXNhUA0d
                                                                                                  MD5:B36B39A2AA5C15D0167A7D8454AE71A6
                                                                                                  SHA1:2CD2E7DAF1762A44F4FD4FC84FFC60D84A2AEFA6
                                                                                                  SHA-256:01871A132386F81DFD4894E9DAEB9433C4BE2A99EBE8FEC954E5182A43E96AF0
                                                                                                  SHA-512:4BC14EDF6C0A9695764DEAD9C90F502DCDB7F420BD54794539183BFFECD054218290C23C57155EF982F1DAA4B479DAF80B63C7CA643F73AF2A66AC01E96926E4
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................................................8......=.=....8......Rich....................PE..L....P.Y.....................*.......@............@..........................p.............................................4A..<....P...............4...#...`..t... ...8...........................X...@............................................text...,........................... ..h.rdata..D...........................@..H.data...............................@...PAGE.....?.......@.................. ..`INIT....r....@...................... ..b.rsrc........P.......$..............@..B.reloc..t....`.......(..............@..B................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\my_setup.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22976
                                                                                                  Entropy (8bit):6.652405722283548
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:pMuUkfWPmqKebW1j2zAAHOOntqVOviZKoqZsHLEF0PnhjIS:VHqKyWMvUOyncIhjIS
                                                                                                  MD5:893828FDA5B4026B36C238CBED43BCC2
                                                                                                  SHA1:B485E255B2F6F1C294BC127AA2BE14A39C346F56
                                                                                                  SHA-256:CEA46DCCAF211E71DE3895C08E7C9A828C53232EDDBC90C0A6E3552826A8DDFA
                                                                                                  SHA-512:951598591F2A395F8C5F993A5BD850CED11F43433DF00CF5B12CBAB360949E305A52CDF55A675C8FE59F275432C92D479444C91F71AB39AB342200560972A6A6
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=5.:yT.iyT.iyT.ip,QixT.iyT.iET.ip,WitT.ip,VixT.ip,GitT.ip,UixT.iRichyT.i........................PE..L....P.Y...........!.....,..........-/.......@...............................`.......(....@......................... :......|3.......................6...#...P..4...................................(...@............................................text....*.......,.................. ..`.data........@.......0..............@....reloc.......P.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):9728
                                                                                                  Entropy (8bit):4.7653420469834185
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:F+0YcUgZN/zSbTyB9Bs+VC+k5JEdVMNuE:F+oUgZN/zSbTysOC+k5MVs
                                                                                                  MD5:1EF7574BC4D8B6034935D99AD884F15B
                                                                                                  SHA1:110709AB33F893737F4B0567F9495AC60C37667C
                                                                                                  SHA-256:0814AAD232C96A4661081E570CF1D9C5F09A8572CFD8E9B5D3EAD0FA0F5CA271
                                                                                                  SHA-512:947C306A3A1EEC7FCE29EAA9B8D4B5E00FD0918FE9D7A25E262D621FB3EE829D5F4829949E766A660E990D1AC14F87E13E5DBD5F7C8252AE9B2DC82E2762FB73
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jp.....V...V...V.ivV...V.igV...V.iaV...V...V&..V.iqV...V.icV...VRich...V........PE..L....zZP.............................#.......0...............................P............@...... ..........................d(..P............................@..l.......................................@............................................text............................... ..`.data...x....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10752
                                                                                                  Entropy (8bit):4.547294400796419
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:yg/LSSz/NZS+cI818WJ6TPPeqj6wnzX/bHz3coD:yg/LSSz/NZSBITOg6+D/X
                                                                                                  MD5:F512536173E386121B3EBD22AAC41A4E
                                                                                                  SHA1:74AE133215345BEAEBB7A95F969F34A40DDA922A
                                                                                                  SHA-256:A993872AD05F33CB49543C00DFCA036B32957D2BD09AAA9DAFE33B934B7A3E4A
                                                                                                  SHA-512:1EFA432EF2D61A6F7E7FC3606C5C982F1B95EABC4912EA622D533D540DDCA1A340F8A5F4652AF62A9EFC112CA82D4334E74DECF6DDBC88B0BD191060C08A63B9
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................................................Rich....................PE..d....vZP.........."...... ..........(%.......................................`.......`....@.......... ......................................4+..P............@...............P......p...................................................8............................text............ .................. ..`.data........0.......$..............@....pdata.......@.......&..............@..@.reloc..8....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):77824
                                                                                                  Entropy (8bit):4.995224286140262
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:3zrhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkA:3+KY04RMmSCYmBiF4O7WT
                                                                                                  MD5:B40FE65431B18A52E6452279B88954AF
                                                                                                  SHA1:C25DE80F00014E129FF290BF84DDF25A23FDFC30
                                                                                                  SHA-256:800E396BE60133B5AB7881872A73936E24CBEBD7A7953CEE1479F077FFCF745E
                                                                                                  SHA-512:E58CF187FD71E6F1F5CF7EAC347A2682E77BC9A88A64E79A59E1A480CAC20B46AD8D0F947DD2CB2840A2E0BB6D3C754F8F26FCF2D55B550EEA4F5D7E57A4D91D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P............@...... ..........................lm..........p....................@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):81920
                                                                                                  Entropy (8bit):4.977706172799676
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
                                                                                                  MD5:3904D0698962E09DA946046020CBCB17
                                                                                                  SHA1:EDAE098E7E8452CA6C125CF6362DDA3F4D78F0AE
                                                                                                  SHA-256:A51E25ACC489948B31B1384E1DC29518D19B421D6BC0CED90587128899275289
                                                                                                  SHA-512:C24AB680981D8D6DB042B52B7B5C5E92078DF83650CAD798874FC09CE8C8A25462E1B69340083F4BCAD20D67068668ABCFA8097E549CFA5AD4F1EE6A235D6EEA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......|.....@.......... ......................................X}..........p.......T............`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8367
                                                                                                  Entropy (8bit):7.279860186543382
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:+2A2RJoIo6vyowJL/aoxhHoe068jSJUbueqw4G:JRaD8YJLFHJ06dUb+w1
                                                                                                  MD5:092FF1A83123D816B748F0D382792543
                                                                                                  SHA1:C1D1E85955113B8AAB604107738E6B532FE5C706
                                                                                                  SHA-256:E81535236E4BDC5534677D05AB3DB67F03283E756233924945CC7D93D394DB5A
                                                                                                  SHA-512:7A24AF6CEF474663E615F9BCD5780D97D4249AE8D767EB60927A2BF7B7E66B1777486886C7A053C30301F98E22CCD5AAB7877BC47FA5000C34A707806B198864
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0. ...*.H........ .0. ....1.0...+......0..a..+.....7.....R0..N0...+.....7...........cA.....G....081005153941Z0...+.....7.....0...0....R1.7.C.9.C.C.1.B.2.1.1.8.1.0.C.9.D.B.5.7.8.5.3.B.0.8.5.1.7.E.8.E.F.A.A.7.6.D.C.E...1..702..+.....7...1$0"...F.i.l.e........m.v.2...d.l.l...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+............!....W.;.Q~...m.0....R9.6.B.8.E.2.E.D.6.3.F.5.4.B.E.B.4.E.0.8.7.7.1.2.A.D.A.7.5.2.0.C.2.3.7.9.C.5.C.4...1../02..+.....7...1$0"...F.i.l.e........m.v.2...i.n.f...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...0...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+............c.K.N.w...R.#y..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RA.9.4.9.3.C.B.6.B.6.B.E.D.A.B.7.E.8.3.E.2.B.8.D.E.C.1.9.5.6.9.2.7.A

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):26048
                                                                                                  Entropy (8bit):6.292871779652706
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:U2dFSGikkp4cE8WWk2lg0ZeE313MrnCbuSLwJiU:deeJlGMroJIiU
                                                                                                  MD5:867F3CA0E3A4B57F5BA7519B645AED66
                                                                                                  SHA1:837676FE5C7B62AFAA4D49E6AC51EDF948AD1757
                                                                                                  SHA-256:1A392E8731E4F01476C54FB4FD408F590D8530C34E3835081886A0056A91E502
                                                                                                  SHA-512:27E21584DC54D1996FDFEE2002027061A160E89BD3B7249C017D91900381102674D65282E9B623F002F392BBF8649F0092DE9CB46C70B739A42EE62A3753C8FF
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9...W...W...W..=,...W...V...W..=*...W..=:...W..=&...W..=+...W..=/...W.Rich..W.........PE..d......H.........." .....2...........7............................................... .......................................................p..(............`..,....J..........<....@...............................................@...............................text....-.......................... ..h.rdata.......@.......2..............@..H.data........P.......8..............@....pdata..,....`.......>..............@..HINIT.........p.......@.............. ....rsrc................D..............@..B.reloc...............H..............@..B................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2255
                                                                                                  Entropy (8bit):5.3700497661675906
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:ehVVpvnf4+BCs00c/9XSvFhb54y83WhJhdYpBBh22wlFTP/7bp:MJfJ00Si4yMyA7DwlFLB
                                                                                                  MD5:1B4F828FC21AA28C3CE863A31C1F9D48
                                                                                                  SHA1:96B8E2ED63F54BEB4E087712ADA7520C2379C5C4
                                                                                                  SHA-256:E7F85212D7708402910830576B0BD84873C24A1339CFD3EBBE5A2939127438D4
                                                                                                  SHA-512:9CF0E701ADCBBE05652F623A34849910C657FA9536513835D18FD184FAAD47B62C28437237A78494B8E31F5E27C0BDDCD9D4CB5C5B4BEDC56EF0842553AB3064
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:; mv2.inf..;..; Installation inf for the Mirror graphics adapter...;..;....[Version]..Signature="$CHICAGO$"..Provider=%Cyberfox%..ClassGUID={4D36E968-E325-11CE-BFC1-08002BE10318}..Class=Display..DriverVer=04/11/2007,6.0.1.0..CatalogFile="mv2.cat"....[DestinationDirs]..DefaultDestDir = 11..mv2.Miniport = 12 ; drivers..mv2.Display = 11 ; system32....;..; Driver information..;....[Manufacturer]..%Cyberfox% = stdMfg,NTamd64....[stdMfg.NTamd64]..%Winmv2% = mv2, mv_hook_display_driver2....;..; General installation section..;....[mv2]..CopyFiles=mv2.Miniport, mv2.Display....;..; File sections..;....[mv2.Miniport]..mv2.sys....[mv2.Display]..mv2.dll......;..; Service Installation..;....[mv2.Services]..AddService = mv2, 0x00000002, mv2_Service_Inst, mv2_EventLog_Inst....[mv2_Service_Inst]....ServiceType = 1 ; SERVICE_KERNEL_DRIVER..StartType = 1 ; SERVICE_SYSTEM_START..ErrorControl = 0 ; SERVICE_ERROR_IGNORE..LoadOrderGroup =

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11712
                                                                                                  Entropy (8bit):6.137352195821723
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:8hD6YJoIo6vyowJL/aoxhHoe068jSJUbueqycZ:8hD6YaD8YJLFHJ06dUb+BZ
                                                                                                  MD5:4B6B1EF53636E2C5A9EB9AF291970073
                                                                                                  SHA1:868C5A226293EEB37C513E106A80B9EE9A01684A
                                                                                                  SHA-256:25444A485A800E2609AD56179146DD24C41E3E56A10969037D4914BAA452DF53
                                                                                                  SHA-512:05B3D52E62ABB995B3EA4BEBE7C3D18354124772D97287BAAF4474ADBF9BD537AC258974C1C0B2EC1C7E3779D27D411FE74550FEA77A36D06A6D99FFD0628A7F
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:f.q[..q[..q[..q[..r[..V.s.t[..V.u.p[..V.e.r[..V.y.p[..V.t.p[..V.p.p[..Richq[..........PE..d...p .G.........."..................P.......................................p......cQ......................................................dP..<....`.......@......................0 ............................................... ..(............................text...`........................... ..h.rdata....... ......................@..H.data........0......................@....pdata.......@......................@..HINIT.... ....P...................... ....rsrc........`......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\install.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16
                                                                                                  Entropy (8bit):3.625
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:6FMLVJ:uMLVJ
                                                                                                  MD5:903B157DCA56861C845179D4D1C5E930
                                                                                                  SHA1:E6B5ED1511F1F14F0436CA474FF457CB340E7C60
                                                                                                  SHA-256:8402E0C9189FA6EF6EF8E955606C5A20F880F1106EA5F81304E42A0864F078F8
                                                                                                  SHA-512:53F5BE22FD9B12FF9D084A65BE63BFA7A9B5489A5D95263343EE0DB3CE749B1B6D0999AC3CC34B23A4A970F3F02DD7ED1199269C12C8B59313FF58B225774006
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:setupdrv install

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\license.txt

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with very long lines (396), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1150
                                                                                                  Entropy (8bit):4.872615036376876
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:0oSneisewrWYSaizLwupc5KEQbEE+H+s+joMyyeDbE7upgO8+jaUZN:2sQ1Rpc5DQo9+s+1yy7ipgl+NL
                                                                                                  MD5:624A16979822CA9E244602EF815E4FCF
                                                                                                  SHA1:FF39FD4A7EE12C5190144E2F28AB5D7DB2A3F435
                                                                                                  SHA-256:18D357C3792C89E9A8FC127E65A81BE919BEC7166E537ECA080478E0370E61C6
                                                                                                  SHA-512:491EB3288F3753FB18DF1E1F634C07ECA7FF6970C6CE6778E0EB0C4FB1EC0A8E490C1273A0183CAC221DB8750B03FCDE5B7B03FBF8A98A5C43048523C7CE37C3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:1. GRANT OF LICENSE:......RDV-Soft hereby grants Ultr@VNC Team -non-exclusive, royalty-free, worldwide, perpetual license to distribute, use the software product "Mirror driver" in binary form for their remote controle software. Ultr@VNC Team hereby grants the end-user the right to use and distribute the software product "Mirror Driver" with "Ultr@VNC"..... ....2. LIMITED WARRANTY......NO WARRANTY. To the maximum extent permitted by applicable law, We expressly disclaims any warranty for the SOFTWARE PRODUCT "Mirror Driver". The SOFTWARE PRODUCT "Mirror Driver" and any related documentation are provided "as is" without warranty of any kind, either express or implied, including, without limitation, the implied warranties of merchantability or fitness for a particular purpose...NO LIABILITY FOR CONSEQUENTIAL DAMAGES. To the maximum extent permitted by applicable law, in no event shall we be liable for any damages whatsoever (including, without limitation, damages for loss of business pro

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\setupdrv.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):90688
                                                                                                  Entropy (8bit):6.200545275172027
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:I/QY76jVjfCCHOLvctoA3eDDjEcUVzDOhtMRFS3CZiR3IeSkuH5ysQyMXq:I/QNjfCEoAOD0cUVWhmRLARnSDH5y1yv
                                                                                                  MD5:6C788D13DEDCD6EB9E022ACA8BD1C3FA
                                                                                                  SHA1:741A5342618A0AF7AC6E3F947FB3BC128477E237
                                                                                                  SHA-256:0BB050B230CA684DE7021D9B66303C71F408885163B20166E7047C223E0EE01E
                                                                                                  SHA-512:9CEEBC23EF82A302250291B0D3584F9CE9328DEA8850F49A3473B6B5392FCE4299AC0535A0F9AAF0A22047293DFD2AC70DF4002E21BF7B1BB1711E9984C9BC33
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../...Nx..Nx..Nx.....Nx......Nx.....Nx..Ny.ENx......Nx......Nx......Nx.Rich.Nx.................PE..d....T.G..........#..........n.......E.........@.....................................8......................................................."..x....................L..@............................................................................................text............................... ..`.rdata...@.......B..................@..@.data...d=...@....... ..............@....pdata...............6..............@..@.rsrc................B..............@..@........................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\uninstall.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):411
                                                                                                  Entropy (8bit):4.977180725182127
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:kCdGk3hd0E23B1047V1j47V1u471kgAq3Gn3C:/1RqXRC4R94RQ4dAqqy
                                                                                                  MD5:2203EE251159885EF20D6970F67529C3
                                                                                                  SHA1:D775009C08D7EC7F684FC7B657DDC7BCB7DA94C6
                                                                                                  SHA-256:C3D0070A0EA5BB0708565930199C77E7DC4BFC31A6B368B2F8A7B0239E739304
                                                                                                  SHA-512:3A1BBF3F460DCDCDE1DE3D5F345973D1827EB717AB7FCA3C3DE5A12E324125EF94D7FFC34F664D5C1763790E3A4189F065DFCA4E0E7FB43E4BEC0DA32255E785
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....\utils\devcon64.exe remove mv_hook_display_driver2 >> inst.log....\utils\devcon64.exe rescan >> inst.log..ver | find /i "5.1." > nul..if %errorlevel%==0 GOTO End..ver | find /i "5.2." > nul..if %errorlevel%==0 GOTO End..ver | find /i "6.0." > nul..if %errorlevel%==0 GOTO End....\utils\DIFxCmd64.exe /u driver\mv2.inf >> inst.log..:End....sc stop mv2 >> inst.log..sc delete mv2 >> inst.log

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8367
                                                                                                  Entropy (8bit):7.270789935373524
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:+90+LRJoIo6vyowJL/aoxhHoe068jSJUbueqNb:eBRaD8YJLFHJ06dUb+Nb
                                                                                                  MD5:80D00FB5201EE5E66D8230B8440A7643
                                                                                                  SHA1:0DD971723322BB0EC8D7EF71D6389F839F6EBE30
                                                                                                  SHA-256:C17A1DE10DF4DF8A51E1EE7EDB209E6DEBF34285E327A7C669EF0E04E1BED72C
                                                                                                  SHA-512:C01F6AB36E2007E18DE27B46CB51BC8896AF5666FE18F39DADB0DC90B0DAAC2AB6580F31B0B15BD83D5453932A1299AE17E8DBA298D20B656945DEB0506F6AB5
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0. ...*.H........ .0. ....1.0...+......0..a..+.....7.....R0..N0...+.....7.......r..V5B.r/.9.V...081005153046Z0...+.....7.....0...0....R8.3.5.1.9.D.3.B.C.A.9.2.3.C.F.2.9.A.9.3.D.9.2.E.A.4.1.3.A.5.C.E.D.E.5.B.B.E.0.0...1..702..+.....7...1$0"...F.i.l.e........m.v.2...s.y.s...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........Q.;.<........[..0....R8.7.E.8.4.F.A.7.5.6.B.9.8.F.1.4.3.7.F.F.8.F.8.D.D.9.A.2.D.C.B.6.D.0.6.2.8.5.1.5...1../02..+.....7...1$0"...F.i.l.e........m.v.2...i.n.f...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...0...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+..........O.V...7......b..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RD.7.9.F.6.E.3.3.5.F.D.E.2.3.6.B.8.1.F.9.D.B.0.D.4.2.F.1.4.8.4.B.7.B

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):23488
                                                                                                  Entropy (8bit):6.423731919049599
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:QvTfgigZKPBRDwvp5BY83HV8diQFHbsQaD8YJLFHJ06dUb+DQ:QLfpqKZRDMq6HV89HbsQSLwJiDQ
                                                                                                  MD5:55CB63E6661D7A911C74BF39986336AB
                                                                                                  SHA1:1F26A92347F58DC9616B611F1E8A29E0E6B94D67
                                                                                                  SHA-256:9C5E913DB4B4BE861EEC63C071FBCC6A3BC60A0D11949EC47251780508A83E25
                                                                                                  SHA-512:B31838612588A4CA9BB6B7D5DD0EABB69BF8FD41170FA71A0D7357D31BAFDF3075F0DE070160AFB58DAACEC5BB47EF34316E652DE9421B186F91BDCAA2BF58A2
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8..k..k..k..k..k.*.k..k.*.k..k.*.k..k.*.k..k.*.k..kRich..k................PE..L...h..H...........!.....,...........1.......@......................................^a.......................................`..(....p...............@..............p@...............................................@..p............................text....&.......(.................. ..h.rdata..q....@.......,..............@..H.data...@....P.......0..............@...INIT....r....`.......4.............. ....rsrc........p.......8..............@..B.reloc...............<..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2243
                                                                                                  Entropy (8bit):5.362010783542873
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:ehVVpvnf4+BCs0j/9XSvFhb54y83WhJhdYpBBN22wlFTP/7bp:MJfJ0di4yMyAXDwlFLB
                                                                                                  MD5:AEA986639139A63559A39BE4A9986B39
                                                                                                  SHA1:87E84FA756B98F1437FF8F8DD9A2DCB6D0628515
                                                                                                  SHA-256:78A01CCC86628727E603A74BF008DBD95B465031EFA6FB52AB9496293E8470E1
                                                                                                  SHA-512:37E092646B88E45962737ED696C575F944E15BAD3884442A60D7DE427E8669AE1B3C578CE959D2D304A7668CC84F8F3E0C220A4988D4C15197228466456B3878
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:; mv2.inf..;..; Installation inf for the Mirror graphics adapter...;..;....[Version]..Signature="$CHICAGO$"..Provider=%Cyberfox%..ClassGUID={4D36E968-E325-11CE-BFC1-08002BE10318}..Class=Display..DriverVer=04/11/2007,6.0.1.0..CatalogFile="mv2.cat"....[DestinationDirs]..DefaultDestDir = 11..mv2.Miniport = 12 ; drivers..mv2.Display = 11 ; system32....;..; Driver information..;....[Manufacturer]..%Cyberfox% = stdMfg....[stdMfg]..%Winmv2% = mv2, mv_hook_display_driver2....;..; General installation section..;....[mv2]..CopyFiles=mv2.Miniport, mv2.Display....;..; File sections..;....[mv2.Miniport]..mv2.sys....[mv2.Display]..mv2.dll......;..; Service Installation..;....[mv2.Services]..AddService = mv2, 0x00000002, mv2_Service_Inst, mv2_EventLog_Inst....[mv2_Service_Inst]....ServiceType = 1 ; SERVICE_KERNEL_DRIVER..StartType = 1 ; SERVICE_SYSTEM_START..ErrorControl = 0 ; SERVICE_ERROR_IGNORE..LoadOrderGroup = Video..ServiceBi

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11712
                                                                                                  Entropy (8bit):6.022711070794495
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:+SniyJoIo6vyowJL/aoxhHoe068jSJUbueqrII:OyaD8YJLFHJ06dUb+J
                                                                                                  MD5:B435F95592AD8E6FC3BACD4A7E89B614
                                                                                                  SHA1:287FA71A499CB6AA7E806BB6106C7401CD504ACA
                                                                                                  SHA-256:331F200BCEA80E55743CE8CCF49B18785F70CAF21C13B15FBA9A3A9D32C6A46E
                                                                                                  SHA-512:53373208640AC22F23B4C56D9C9AC32E0837314E736D14FEAF2A571594886A3D6EF42B875980D39FBE9103C101CDAED43740EB026FFFA6019503E39A85E38086
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}K..9*r.9*r.9*r.9*s.:*r.....<*r.....;*r.....8*r.....8*r.Rich9*r.........................PE..L...j .G.............................@....... ...............................p.......b......................................H@..<....P.......................`..0... ............................................... ...............................text............................... ..h.rdata....... ......................@..H.data........0......................@...INIT.........@...................... ....rsrc........P......................@..B.reloc..V....`......................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\install.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16
                                                                                                  Entropy (8bit):3.625
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:6FMLVJ:uMLVJ
                                                                                                  MD5:903B157DCA56861C845179D4D1C5E930
                                                                                                  SHA1:E6B5ED1511F1F14F0436CA474FF457CB340E7C60
                                                                                                  SHA-256:8402E0C9189FA6EF6EF8E955606C5A20F880F1106EA5F81304E42A0864F078F8
                                                                                                  SHA-512:53F5BE22FD9B12FF9D084A65BE63BFA7A9B5489A5D95263343EE0DB3CE749B1B6D0999AC3CC34B23A4A970F3F02DD7ED1199269C12C8B59313FF58B225774006
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:setupdrv install

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\license.txt

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with very long lines (396), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1150
                                                                                                  Entropy (8bit):4.872615036376876
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:0oSneisewrWYSaizLwupc5KEQbEE+H+s+joMyyeDbE7upgO8+jaUZN:2sQ1Rpc5DQo9+s+1yy7ipgl+NL
                                                                                                  MD5:624A16979822CA9E244602EF815E4FCF
                                                                                                  SHA1:FF39FD4A7EE12C5190144E2F28AB5D7DB2A3F435
                                                                                                  SHA-256:18D357C3792C89E9A8FC127E65A81BE919BEC7166E537ECA080478E0370E61C6
                                                                                                  SHA-512:491EB3288F3753FB18DF1E1F634C07ECA7FF6970C6CE6778E0EB0C4FB1EC0A8E490C1273A0183CAC221DB8750B03FCDE5B7B03FBF8A98A5C43048523C7CE37C3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:1. GRANT OF LICENSE:......RDV-Soft hereby grants Ultr@VNC Team -non-exclusive, royalty-free, worldwide, perpetual license to distribute, use the software product "Mirror driver" in binary form for their remote controle software. Ultr@VNC Team hereby grants the end-user the right to use and distribute the software product "Mirror Driver" with "Ultr@VNC"..... ....2. LIMITED WARRANTY......NO WARRANTY. To the maximum extent permitted by applicable law, We expressly disclaims any warranty for the SOFTWARE PRODUCT "Mirror Driver". The SOFTWARE PRODUCT "Mirror Driver" and any related documentation are provided "as is" without warranty of any kind, either express or implied, including, without limitation, the implied warranties of merchantability or fitness for a particular purpose...NO LIABILITY FOR CONSEQUENTIAL DAMAGES. To the maximum extent permitted by applicable law, in no event shall we be liable for any damages whatsoever (including, without limitation, damages for loss of business pro

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\setupdrv.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):81920
                                                                                                  Entropy (8bit):5.9219061141523825
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:1zCCrWvSRU7VEBmGDnw29Gz07X83JlcytyCpw:1zCCrM7Uio83JljtyIw
                                                                                                  MD5:50F6A9509729A6D8D97E29AD259C6A1E
                                                                                                  SHA1:1AEADFC64CD4D6B9D878F93999A4D571936CCA91
                                                                                                  SHA-256:C8B3049C278B7E3FE2CFE4D84096A292CC14557EBCC02B8998EB14C83289EB8F
                                                                                                  SHA-512:71660BEE4D58074B05538DA18F905CBFAF1567C60AA02F7C979571F3D21AC2AD56F19B3B7FEB2430686302222932CB901B0B895C16076EF1963CC93C94311769
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........p..p..p......p......p.n....p..p."p......p......p......p.Rich.p.................PE..L.....H.....................`.......<............@..........................p......z_..........................................x....`..4...............................................................@............................................text............................... ..`.rdata...0.......@..................@..@.data...d3... ....... ..............@....rsrc...4....`.......0..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\uninstall.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):405
                                                                                                  Entropy (8bit):4.932556842608647
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:kCdgk3hdyE23B1047V1j47V1u47jkgAq3Gn3C:/jR8XRC4R94RQ43Aqqy
                                                                                                  MD5:00A98380A84308DFEDB409827DB9C916
                                                                                                  SHA1:F31EC578108616125450187C709B6E133425BC25
                                                                                                  SHA-256:948C84A52F8847798150629B396E29857C0C7EB77550276A000E02B2B9C85A4E
                                                                                                  SHA-512:73AFAEB0394B470102A05D6E7F1195E60BEFE5469241C5ED182032AC80E54196945E7E9AA9AC2391DC13528E06F3D6C165C4083ECFE6B6F07A1E8F2E30AA5A8E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....\utils\devcon.exe remove mv_hook_display_driver2 >> inst.log....\utils\devcon.exe rescan >> inst.log..ver | find /i "5.1." > nul..if %errorlevel%==0 GOTO End..ver | find /i "5.2." > nul..if %errorlevel%==0 GOTO End..ver | find /i "6.0." > nul..if %errorlevel%==0 GOTO End....\utils\DIFxCmd.exe /u driver\mv2.inf >> inst.log..:End....sc stop mv2 >> inst.log..sc delete mv2 >> inst.log

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8403
                                                                                                  Entropy (8bit):7.26515273733877
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:VafwaRJoIo6vyowJL/aoxhHoe068jSJUbueqO0:VQRaD8YJLFHJ06dUb+O0
                                                                                                  MD5:9B3AB5B97500F2C39C75EA2910BC6420
                                                                                                  SHA1:42267EA620E0EF5B0F4DBF25B705F1B3C4D03649
                                                                                                  SHA-256:32557B63B75CE1DBB761C22092E130561FE6B156CD1D0F96E809E8D0A32E89A6
                                                                                                  SHA-512:BFEBCC8BA47E7E0F7FA6218E2A057C3ADD8C570B839ACA3F159495024028A9F6408143FB7A34F2EAD66278401898150A497339BEF3E671A3212055EC73056009
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0. ...*.H........ .0. ....1.0...+......0.....+.....7.....v0..r0...+.....7.........8U<F..n1.L.\..081005153929Z0...+.....7.....0...0....R4.7.2.9.5.6.B.E.1.5.7.7.9.6.F.0.3.4.9.B.9.C.D.9.3.0.D.5.0.9.5.1.B.6.2.F.6.9.B.D...1..C02..+.....7...1$0"...F.i.l.e........m.v.2...d.l.l...0>..+.....7...100....O.S.A.t.t.r........2.:.5...1.,.2.:.5...2...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........G)V..w..4...0..Q./i.0....R9.6.B.8.E.2.E.D.6.3.F.5.4.B.E.B.4.E.0.8.7.7.1.2.A.D.A.7.5.2.0.C.2.3.7.9.C.5.C.4...1..;02..+.....7...1$0"...F.i.l.e........m.v.2...i.n.f...0>..+.....7...100....O.S.A.t.t.r........2.:.5...1.,.2.:.5...2...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+............c.K.N.w...R.#y..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RD.F.A.3.A.B.F.9.9.C.2.4.E.2.7.D.8.6.3.9.B.2

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25536
                                                                                                  Entropy (8bit):6.314384276589044
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:jdxcojc4oPxNtS4v28b3pnd6DABnOSLwJiz:jdj9oPxjNv2YnPdpIiz
                                                                                                  MD5:52E972E497645851FA910787CC2050E0
                                                                                                  SHA1:1CE9A93996DFC5F24DF8CAD16E15555BE368B956
                                                                                                  SHA-256:B0C07A2912B4EC67CA8A37B890DB33A62CC0DB3A733CD6D146FF6F865D6E4B88
                                                                                                  SHA-512:4CADF2BFA9056A1756BB79C4EB2842E8A9A132544305EAB0F1433AF2C890B24DA3614E5E241A86358CF47FBF7F0A783102850346CAB2FA04B1AEDC9B81C79E94
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9.].W.].W.].W.].V.F.W...,.^.W...:.Z.W.....\.W.../.\.W.Rich].W.........PE..d......H...........!.....2..........0=..............................................g'.......................................................p..(............`..,....H..........<....@...............................................@...............................text....-.......................... ..h.rdata.......@.......2..............@..H.data........P.......8..............@....pdata..,....`.......<..............@..HINIT.........p.......>.............. ....rsrc................B..............@..B.reloc...............F..............@..B................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2255
                                                                                                  Entropy (8bit):5.3700497661675906
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:ehVVpvnf4+BCs00c/9XSvFhb54y83WhJhdYpBBh22wlFTP/7bp:MJfJ00Si4yMyA7DwlFLB
                                                                                                  MD5:1B4F828FC21AA28C3CE863A31C1F9D48
                                                                                                  SHA1:96B8E2ED63F54BEB4E087712ADA7520C2379C5C4
                                                                                                  SHA-256:E7F85212D7708402910830576B0BD84873C24A1339CFD3EBBE5A2939127438D4
                                                                                                  SHA-512:9CF0E701ADCBBE05652F623A34849910C657FA9536513835D18FD184FAAD47B62C28437237A78494B8E31F5E27C0BDDCD9D4CB5C5B4BEDC56EF0842553AB3064
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:; mv2.inf..;..; Installation inf for the Mirror graphics adapter...;..;....[Version]..Signature="$CHICAGO$"..Provider=%Cyberfox%..ClassGUID={4D36E968-E325-11CE-BFC1-08002BE10318}..Class=Display..DriverVer=04/11/2007,6.0.1.0..CatalogFile="mv2.cat"....[DestinationDirs]..DefaultDestDir = 11..mv2.Miniport = 12 ; drivers..mv2.Display = 11 ; system32....;..; Driver information..;....[Manufacturer]..%Cyberfox% = stdMfg,NTamd64....[stdMfg.NTamd64]..%Winmv2% = mv2, mv_hook_display_driver2....;..; General installation section..;....[mv2]..CopyFiles=mv2.Miniport, mv2.Display....;..; File sections..;....[mv2.Miniport]..mv2.sys....[mv2.Display]..mv2.dll......;..; Service Installation..;....[mv2.Services]..AddService = mv2, 0x00000002, mv2_Service_Inst, mv2_EventLog_Inst....[mv2_Service_Inst]....ServiceType = 1 ; SERVICE_KERNEL_DRIVER..StartType = 1 ; SERVICE_SYSTEM_START..ErrorControl = 0 ; SERVICE_ERROR_IGNORE..LoadOrderGroup =

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11712
                                                                                                  Entropy (8bit):6.137468737457105
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:8CvhDWQJoIo6vyowJL/aoxhHoe068jSJUbueqEQ:hhDWQaD8YJLFHJ06dUb+EQ
                                                                                                  MD5:0469611E7DC0A882D123DC89FE386C01
                                                                                                  SHA1:7059D4EFBE980F3A355CF8401A33F7EA1E129CD9
                                                                                                  SHA-256:BFFA6606A5CCD1F79EF7D0F591BD6EE8FDE28C266EA8C8608D423321174CB87C
                                                                                                  SHA-512:FA1ED8E1A312497A1DCFB73F12D545BA298063250FCDC9E03B4EC71DD86C91743104EB322351F4AD1E33CDD3E412E92595EBA03EE860D013B0A2646BCB467327
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I.g'..g'..g'..g&..g'...\..g'...J..g'...Z..g'...J..g'...V..g'...[..g'..._..g'.Rich.g'.........................PE..d...0 .G.........."..................P.......................................p......u.......................................................dP..<....`.......@......................0 ............................................... ..(............................text...`........................... ..h.rdata....... ......................@..H.data........0......................@....pdata.......@......................@..HINIT.... ....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\install.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16
                                                                                                  Entropy (8bit):3.625
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:6FMLVJ:uMLVJ
                                                                                                  MD5:903B157DCA56861C845179D4D1C5E930
                                                                                                  SHA1:E6B5ED1511F1F14F0436CA474FF457CB340E7C60
                                                                                                  SHA-256:8402E0C9189FA6EF6EF8E955606C5A20F880F1106EA5F81304E42A0864F078F8
                                                                                                  SHA-512:53F5BE22FD9B12FF9D084A65BE63BFA7A9B5489A5D95263343EE0DB3CE749B1B6D0999AC3CC34B23A4A970F3F02DD7ED1199269C12C8B59313FF58B225774006
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:setupdrv install

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\license.txt

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with very long lines (396), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1150
                                                                                                  Entropy (8bit):4.872615036376876
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:0oSneisewrWYSaizLwupc5KEQbEE+H+s+joMyyeDbE7upgO8+jaUZN:2sQ1Rpc5DQo9+s+1yy7ipgl+NL
                                                                                                  MD5:624A16979822CA9E244602EF815E4FCF
                                                                                                  SHA1:FF39FD4A7EE12C5190144E2F28AB5D7DB2A3F435
                                                                                                  SHA-256:18D357C3792C89E9A8FC127E65A81BE919BEC7166E537ECA080478E0370E61C6
                                                                                                  SHA-512:491EB3288F3753FB18DF1E1F634C07ECA7FF6970C6CE6778E0EB0C4FB1EC0A8E490C1273A0183CAC221DB8750B03FCDE5B7B03FBF8A98A5C43048523C7CE37C3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:1. GRANT OF LICENSE:......RDV-Soft hereby grants Ultr@VNC Team -non-exclusive, royalty-free, worldwide, perpetual license to distribute, use the software product "Mirror driver" in binary form for their remote controle software. Ultr@VNC Team hereby grants the end-user the right to use and distribute the software product "Mirror Driver" with "Ultr@VNC"..... ....2. LIMITED WARRANTY......NO WARRANTY. To the maximum extent permitted by applicable law, We expressly disclaims any warranty for the SOFTWARE PRODUCT "Mirror Driver". The SOFTWARE PRODUCT "Mirror Driver" and any related documentation are provided "as is" without warranty of any kind, either express or implied, including, without limitation, the implied warranties of merchantability or fitness for a particular purpose...NO LIABILITY FOR CONSEQUENTIAL DAMAGES. To the maximum extent permitted by applicable law, in no event shall we be liable for any damages whatsoever (including, without limitation, damages for loss of business pro

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\setupdrv.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):90688
                                                                                                  Entropy (8bit):6.200844475591763
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:D/QY76jVjfCCHOLvctoA3eDDjEcUVzDOhtMRFS3CZiR3IeSkuH5ysQyMK:D/QNjfCEoAOD0cUVWhmRLARnSDH5y1y3
                                                                                                  MD5:137E02F6D5D1BEB5F8096AA34C93545C
                                                                                                  SHA1:8550A23A017B440A7D558F4DBC959C643262D803
                                                                                                  SHA-256:9CE571A987AEE98698D1A70D39A744A416136370D5659B23DE8C1CC523CEEB83
                                                                                                  SHA-512:38DD0F680C3D906307B0BDD835E035D154F0F65DCB69D25455D81F50F6E1ECC3854A507A26B2C1FE029B05EC1BC7ABB974DDB2190BC06B5808C4A14E243E808D
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../...Nx..Nx..Nx.....Nx......Nx.....Nx..Ny.ENx......Nx......Nx......Nx.Rich.Nx.................PE..d....T.G..........#..........n.......E.........@....................................._......................................................."..x....................L..@............................................................................................text............................... ..`.rdata...@.......B..................@..@.data...d=...@....... ..............@....pdata...............6..............@..@.rsrc................B..............@..@........................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\uninstall.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):411
                                                                                                  Entropy (8bit):4.977180725182127
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:kCdGk3hd0E23B1047V1j47V1u471kgAq3Gn3C:/1RqXRC4R94RQ4dAqqy
                                                                                                  MD5:2203EE251159885EF20D6970F67529C3
                                                                                                  SHA1:D775009C08D7EC7F684FC7B657DDC7BCB7DA94C6
                                                                                                  SHA-256:C3D0070A0EA5BB0708565930199C77E7DC4BFC31A6B368B2F8A7B0239E739304
                                                                                                  SHA-512:3A1BBF3F460DCDCDE1DE3D5F345973D1827EB717AB7FCA3C3DE5A12E324125EF94D7FFC34F664D5C1763790E3A4189F065DFCA4E0E7FB43E4BEC0DA32255E785
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....\utils\devcon64.exe remove mv_hook_display_driver2 >> inst.log....\utils\devcon64.exe rescan >> inst.log..ver | find /i "5.1." > nul..if %errorlevel%==0 GOTO End..ver | find /i "5.2." > nul..if %errorlevel%==0 GOTO End..ver | find /i "6.0." > nul..if %errorlevel%==0 GOTO End....\utils\DIFxCmd64.exe /u driver\mv2.inf >> inst.log..:End....sc stop mv2 >> inst.log..sc delete mv2 >> inst.log

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8367
                                                                                                  Entropy (8bit):7.272037405136225
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:5otYRJoIo6vyowJL/aoxhHoe068jSJUbueqY:nRaD8YJLFHJ06dUb+Y
                                                                                                  MD5:89A312ED78E1EDAC37DE5FD1D3E4E0EB
                                                                                                  SHA1:0F913D609437D8B4C2D9675E66C650C6344B93D5
                                                                                                  SHA-256:065C1A3537BAE5BB645DAC15E068DE3CAEA40E460DF130A05D3CBFE15831E747
                                                                                                  SHA-512:A20DF9DEA384F8B52F287A2E16076CA32BF965B46A46B28BF49A1F18F342AA1E19A1B7FA7AD303AC3AB91364D5C18BCF62083360AF54DC5EA9236BD90AB35A1B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0. ...*.H........ .0. ....1.0...+......0..a..+.....7.....R0..N0...+.....7.....H.`.O.N@...B...b..081005153452Z0...+.....7.....0...0....R1.E.2.1.E.3.7.E.C.2.C.6.8.4.8.9.E.7.6.D.5.E.C.A.0.4.D.A.3.5.1.6.B.9.4.3.2.7.5.F...1..702..+.....7...1$0"...F.i.l.e........m.v.2...s.y.s...02..+.....7...1$0"...O.S.A.t.t.r........2.:.5...1...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........!.~....m^...5..C'_0....R4.5.3.D.8.9.E.E.3.3.4.F.4.7.2.4.3.C.6.C.C.C.5.3.4.A.D.4.D.4.6.9.B.E.3.0.9.7.2.6...1../02..+.....7...1$0"...F.i.l.e........m.v.2...i.n.f...02..+.....7...1$0"...O.S.A.t.t.r........2.:.5...1...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........E=..3OG$<l.SJ..i.0.&0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R7.B.0.9.9.7.8.F.8.B.F.D.A.2.5.3.F.D.5.7.9.1.3.5.3.1.2.9.3.B.F.2.6.5

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20288
                                                                                                  Entropy (8bit):6.695099027186018
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:w69hD4isesPZlFwQUWeFtdg4uS8fHt9ndIeBq6H7LFhaD8YJLFHJ06dUb+C1:w6WesRlFwQg1buSCH3nWB6bLPSLwJi2
                                                                                                  MD5:775286759FF1211C25A8D65D29024FD0
                                                                                                  SHA1:1E8A304D9DBCF3C0AA09AA10304B09B99995C54F
                                                                                                  SHA-256:9581581926651D7A2887FD51CE2D7A330333E47C4F91FB34D7B20C058D9B96D2
                                                                                                  SHA-512:54D4D0A0547311A6B19D5CB196E98DEF93EB5311F1328FA2B3674E81E157D266B2D8CF78E08E547F3BFE21CA716D4679674B23BCE196D612184840E578DAA806
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$.......................................................................................................................................................................................................................................................................................................................................................................................................9.b.}...}...}...}...g.......~.....S.z.....R.|.....V.|...Rich}...................PE..L......H...........!.....$...........%.......&...............................3......Jk.......................................,..(....................3.......2......p&...............................................&..l............................text...R!.......!.................. ..h.rdata..q....&.......&..............@..H.data...0....(.......(..............@...INIT....^....,.......,.............. ...

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2239
                                                                                                  Entropy (8bit):5.36119317959271
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:ehVVpvn2vF+BCs0j/9XSvFhb54y83WhJhdYpBBN22wlFTP/7bp:MJQ20di4yMyAXDwlFLB
                                                                                                  MD5:D6AEB05521710E2006B4A9E8C07C68C4
                                                                                                  SHA1:453D89EE334F47243C6CCC534AD4D469BE309726
                                                                                                  SHA-256:F34C416888AEBE90A29948D95BEB8343B7B49CF7E1BB5193716FD97F0330E842
                                                                                                  SHA-512:13C61423D966A5A670BED20535BF6EA211FAAAC15CAD7D2E1124A855A27360CD7B97BFE01E5EE368A139DE9CA07B236427A2BEAEAD19F7C72FD610876696D82D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:; mv2.inf..;..; Installation inf for the Mirror graphics adapter...;..;....[Version]..Signature="$CHICAGO$"..Provider=%Cyberfox%..ClassGUID={4D36E968-E325-11CE-BFC1-08002BE10318}..Class=Display..DriverVer=05/25/2004,1.1..CatalogFile="mv2.cat"....[DestinationDirs]..DefaultDestDir = 11..mv2.Miniport = 12 ; drivers..mv2.Display = 11 ; system32....;..; Driver information..;....[Manufacturer]..%Cyberfox% = stdMfg....[stdMfg]..%Winmv2% = mv2, mv_hook_display_driver2....;..; General installation section..;....[mv2]..CopyFiles=mv2.Miniport, mv2.Display....;..; File sections..;....[mv2.Miniport]..mv2.sys....[mv2.Display]..mv2.dll......;..; Service Installation..;....[mv2.Services]..AddService = mv2, 0x00000002, mv2_Service_Inst, mv2_EventLog_Inst....[mv2_Service_Inst]....ServiceType = 1 ; SERVICE_KERNEL_DRIVER..StartType = 1 ; SERVICE_SYSTEM_START..ErrorControl = 0 ; SERVICE_ERROR_IGNORE..LoadOrderGroup = Video..ServiceBinary

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10304
                                                                                                  Entropy (8bit):6.601225217483284
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:M46n7JoIo6vyowJL/aoxhHoe068jSJUbueqBfg:TW7aD8YJLFHJ06dUb+W
                                                                                                  MD5:8CD0D603FF051F283CAEE66853622D65
                                                                                                  SHA1:2BAE5B78077F08564AA8DA2DBD8E91C4692BB211
                                                                                                  SHA-256:9CF391A95C44F449827004632A3995C66223D24A09CB309CBA2227C94079857E
                                                                                                  SHA-512:108DC92D80352C3FB2D3EA06B545AA1C19C492506CD0F9C71BF00FF38C97B7BAA840ABD9B33B1E3CE4A154860F1C9301C3504CD1738CC887870025226EA36C32
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................X...........!..L.!This program cannot be run in DOS mode....$.......................................................................................................................................................................................................................................................................................................................................................................................................}>..9_..9_..9_..9_..:_...P.<_......;_.....8_.....8_..Rich9_..........................PE..L...X .G...................................................................................................................H...<...............................(....................................................................................text............................... ..h.rdata..............................@..H.data...............................@...INIT............................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\install.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16
                                                                                                  Entropy (8bit):3.625
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:6FMLVJ:uMLVJ
                                                                                                  MD5:903B157DCA56861C845179D4D1C5E930
                                                                                                  SHA1:E6B5ED1511F1F14F0436CA474FF457CB340E7C60
                                                                                                  SHA-256:8402E0C9189FA6EF6EF8E955606C5A20F880F1106EA5F81304E42A0864F078F8
                                                                                                  SHA-512:53F5BE22FD9B12FF9D084A65BE63BFA7A9B5489A5D95263343EE0DB3CE749B1B6D0999AC3CC34B23A4A970F3F02DD7ED1199269C12C8B59313FF58B225774006
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:setupdrv install

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\license.txt

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with very long lines (396), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1150
                                                                                                  Entropy (8bit):4.872615036376876
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:0oSneisewrWYSaizLwupc5KEQbEE+H+s+joMyyeDbE7upgO8+jaUZN:2sQ1Rpc5DQo9+s+1yy7ipgl+NL
                                                                                                  MD5:624A16979822CA9E244602EF815E4FCF
                                                                                                  SHA1:FF39FD4A7EE12C5190144E2F28AB5D7DB2A3F435
                                                                                                  SHA-256:18D357C3792C89E9A8FC127E65A81BE919BEC7166E537ECA080478E0370E61C6
                                                                                                  SHA-512:491EB3288F3753FB18DF1E1F634C07ECA7FF6970C6CE6778E0EB0C4FB1EC0A8E490C1273A0183CAC221DB8750B03FCDE5B7B03FBF8A98A5C43048523C7CE37C3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:1. GRANT OF LICENSE:......RDV-Soft hereby grants Ultr@VNC Team -non-exclusive, royalty-free, worldwide, perpetual license to distribute, use the software product "Mirror driver" in binary form for their remote controle software. Ultr@VNC Team hereby grants the end-user the right to use and distribute the software product "Mirror Driver" with "Ultr@VNC"..... ....2. LIMITED WARRANTY......NO WARRANTY. To the maximum extent permitted by applicable law, We expressly disclaims any warranty for the SOFTWARE PRODUCT "Mirror Driver". The SOFTWARE PRODUCT "Mirror Driver" and any related documentation are provided "as is" without warranty of any kind, either express or implied, including, without limitation, the implied warranties of merchantability or fitness for a particular purpose...NO LIABILITY FOR CONSEQUENTIAL DAMAGES. To the maximum extent permitted by applicable law, in no event shall we be liable for any damages whatsoever (including, without limitation, damages for loss of business pro

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\setupdrv.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):81920
                                                                                                  Entropy (8bit):5.9219061141523825
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:1zCCrWvSRU7VEBmGDnw29Gz07X83JlcytyCpw:1zCCrM7Uio83JljtyIw
                                                                                                  MD5:50F6A9509729A6D8D97E29AD259C6A1E
                                                                                                  SHA1:1AEADFC64CD4D6B9D878F93999A4D571936CCA91
                                                                                                  SHA-256:C8B3049C278B7E3FE2CFE4D84096A292CC14557EBCC02B8998EB14C83289EB8F
                                                                                                  SHA-512:71660BEE4D58074B05538DA18F905CBFAF1567C60AA02F7C979571F3D21AC2AD56F19B3B7FEB2430686302222932CB901B0B895C16076EF1963CC93C94311769
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........p..p..p......p......p.n....p..p."p......p......p......p.Rich.p.................PE..L.....H.....................`.......<............@..........................p......z_..........................................x....`..4...............................................................@............................................text............................... ..`.rdata...0.......@..................@..@.data...d3... ....... ..............@....rsrc...4....`.......0..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\uninstall.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):405
                                                                                                  Entropy (8bit):4.932556842608647
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:kCdgk3hdyE23B1047V1j47V1u47jkgAq3Gn3C:/jR8XRC4R94RQ43Aqqy
                                                                                                  MD5:00A98380A84308DFEDB409827DB9C916
                                                                                                  SHA1:F31EC578108616125450187C709B6E133425BC25
                                                                                                  SHA-256:948C84A52F8847798150629B396E29857C0C7EB77550276A000E02B2B9C85A4E
                                                                                                  SHA-512:73AFAEB0394B470102A05D6E7F1195E60BEFE5469241C5ED182032AC80E54196945E7E9AA9AC2391DC13528E06F3D6C165C4083ECFE6B6F07A1E8F2E30AA5A8E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....\utils\devcon.exe remove mv_hook_display_driver2 >> inst.log....\utils\devcon.exe rescan >> inst.log..ver | find /i "5.1." > nul..if %errorlevel%==0 GOTO End..ver | find /i "5.2." > nul..if %errorlevel%==0 GOTO End..ver | find /i "6.0." > nul..if %errorlevel%==0 GOTO End....\utils\DIFxCmd.exe /u driver\mv2.inf >> inst.log..:End....sc stop mv2 >> inst.log..sc delete mv2 >> inst.log

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\64bits\stdpms.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):28904
                                                                                                  Entropy (8bit):6.117643529522381
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:e+YCxM04ZZNXkvT4cTMUBZ17XM/Q3HUL+drIKumXOs:eULtXFULWfZ
                                                                                                  MD5:87FC012C1B45E780B6CFF6C4F1677C3B
                                                                                                  SHA1:C8EDB2EA85AE5EC17232F6E4CC5594AFB4805936
                                                                                                  SHA-256:D09E57690C0E9D6FF7EF26C7DD85F2E6D19C8E7B36CC298AEBAE04B16D59CA45
                                                                                                  SHA-512:9CD0590444B5FC79CDCD98196D43B027FA17091B49C5246CF9AE97128131BE851D7547BFB5896A2400045CE38901D74A61AEE2DE7D833B178CBDC6EFCC30CBAA
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......sk..7...7...7...>rn.0...7.......>rz.4...>r|.4...>rj.3...>r`.6...>r}.6...>rx.6...Rich7...........................PE..d...@.@R.........."......8......................................................................................................................(.......8....P..X....T..........(....1...............................................0...............................text...F........................... ..hNONPAGED..... ...................... ..h.rdata.......0......................@..H.data........@....... ..............@....pdata..X....P.......$..............@..HPAGE....G....`.......(.............. ..`INIT.................D.............. ....rsrc...8............L..............@..B.reloc..t............R..............@..B........................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\install_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):193
                                                                                                  Entropy (8bit):5.2470977727549695
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajs/dYV0K8G6Pm/mec99KfRFQi64hA3C:kid40K8GteerfUibA3C
                                                                                                  MD5:1E14B5A16092F96F382E7CC1291A2B8B
                                                                                                  SHA1:5CBD16AE4C6570AF42D6DC61C64AC2660FD88F60
                                                                                                  SHA-256:D547136F9EDF4066EF4E59864EED1D45EEBAE7FBB338F0068C925B6E6212A0CE
                                                                                                  SHA-512:1B5222F0F87C6C4A651868DFF84A7BB69A3C913257F0665DD955AF411AD9FC7D19AA1242F362BA676474CCEDDAC51D2B3A1AAEBA11BAEFEF899C6D5C0F083509
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..utils\devcon.exe update stdpms.inf *PNP09FF >> inst.log..reg add "HKLM\SOFTWARE\Splashtop Inc.\Splashtop Remote Server" /f /v "BlankScreenType" /t REG_DWORD /d 2 >> inst.log

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\install_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):207
                                                                                                  Entropy (8bit):5.345831283284553
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajs/dRLw0K8G6Pm/MWyec99KfRFQi64hA3C:kidm0K8GtfyerfUibA3C
                                                                                                  MD5:0270238B2339619D2CC54585124D1ED3
                                                                                                  SHA1:657F624CD74BADB8CB0186731FEDA17A997AD929
                                                                                                  SHA-256:01D2B51A0E18924936C30611457CAD5C5CC2A803C4CFD45E0850A92F6C55B6D7
                                                                                                  SHA-512:52A05F90023926CE9274C64CDE925C2C6055439201AF932459D4FED3D823D08164C76695FFEBA1763C4F9D76D52AAB2F86E230603E3DC2FB7664256E1856CFF8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..utils\devcon64.exe update stdpms.inf *PNP09FF >> inst.log..reg add "HKLM\SOFTWARE\Wow6432Node\Splashtop Inc.\Splashtop Remote Server" /f /v "BlankScreenType" /t REG_DWORD /d 2 >> inst.log

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8925
                                                                                                  Entropy (8bit):7.166871854157093
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:dBsB42FHECwUnYe+PjPGr9ZCApkT1rrZgjldrXa+v5lfr9mlv4:kB4UwUnYPL/p1P6j7Tmu
                                                                                                  MD5:38BEB031E625E814CFA8F84CEEE2B8FF
                                                                                                  SHA1:103C875EE0378BA5375A34E731FB2AFFC07939E1
                                                                                                  SHA-256:D441726A3E82AF0DF1C60EDD17B753E59827789BC50E3E79FE957319085F9091
                                                                                                  SHA-512:45DAD2545DB7B3A43DA22FB04518320BFE7E601AF053866253A52F887EE7C8919587AB11C448D335758BEFE2633D3D176B022F2E29D2B920F6164A6101F7CC41
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0."...*.H........".0."....1.0...+......0..j..+.....7.....[0..W0...+.....7.......L.L..O..Jm. Ym..130924010058Z0...+.....7.....0..S0....R3.7.4.F.E.D.7.A.4.4.6.6.9.F.1.A.C.7.B.0.7.2.B.0.C.7.1.8.5.5.F.5.B.6.B.0.3.5.C.8...1..m08..+.....7...1*0(...F.i.l.e........s.t.d.p.m.s...s.y.s...0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........7O.zDf...r...U...5.0....R7.C.8.2.3.8.E.F.3.2.B.A.3.9.C.D.9.C.9.4.D.D.0.5.4.5.0.A.7.D.E.0.E.D.E.1.4.5.D.4...1..e08..+.....7...1*0(...F.i.l.e........s.t.d.p.m.s...i.n.f...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........|.8.2.9....E.}...E.0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1897
                                                                                                  Entropy (8bit):5.40875279355006
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:jshokavrehezNkgyfROQ9gHwuMgHPgHh2v6YgFR:jMokCcakgMgyIMsAegn
                                                                                                  MD5:A68830A694AB983F0CBF2CC735A535E8
                                                                                                  SHA1:7C8238EF32BA39CD9C94DD05450A7DE0EDE145D4
                                                                                                  SHA-256:6F5CA12FFDFF830B32F02AF03C7B385819CC07BB51AC72A20D69B9C51B2E4112
                                                                                                  SHA-512:581478C5A9488227D0C56E34B7AE353C3FA7068D84023AEC14390B31D24B65BED82FD39590C5A7C4875AD25DEF17FC67ACC97C327D4282AD1E11DD9C260A714C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:[Version]..Signature="$WINDOWS NT$"..Class=Monitor..ClassGUID={4d36e96e-e325-11ce-bfc1-08002be10318}..Provider=%splashtop%..DriverVer=06/19/2013,1.0.0.1..CatalogFile=stdpms.cat....[SourceDisksFiles]..stdpms.sys = 99....[SourceDisksNames]..99 = %DISK_NAME%,,,""....[SourceDisksNames.AMD64]..99 = %DISK_NAME%,,,64bits....[DestinationDirs]..DefaultDestDir = 10..CopyFunctionDriver = 12....[Manufacturer]..%splashtop% = Vendor, NTx86, NTAMD64....[Vendor.NTx86]..%splashtop.DeviceDesc%=stdpms.Inst, *PNP09FF....[Vendor.NTAMD64]..%splashtop.DeviceDesc%=stdpms.Inst, *PNP09FF....[stdpms.Inst]..CopyFiles=CopyFunctionDriver..AddReg=stdpms.AddReg....[stdpms.AddReg]..HKR,,DevLoader,,*ntkern..HKR,,NTMPDriver,,stdpms.sys..HKR,,Description,,%splashtop.DeviceDesc%....[stdpms.Inst.NT]..CopyFiles=CopyFunctionDriver....[stdpms.Inst.NT.Services]..Addservice = stdpms, 0x00000002, stdpms_Service_Inst....[CopyFunctionDriver]..stdpms.sys,,,2....[stdpms_Service_Inst]..DisplayName = %splashtop.SvcDesc%..ServiceTyp

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):23272
                                                                                                  Entropy (8bit):6.296320987470735
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:G7yGlvIydpSkgTyLAykFsAZNOhFB8LHFnYPL/p1P6j7rflo:KyGlvIydQkgTgQFJjrFumXflo
                                                                                                  MD5:F44EC7AB90115F60EE5C89C40326E637
                                                                                                  SHA1:01BEC4EA8173F191321300587142A6E750728854
                                                                                                  SHA-256:C870FAFAD5C6DB27954C0440D9EFDDCE7B9C61D754EF0E77ABF18EFA1055DD90
                                                                                                  SHA-512:17FD122441EB1B2DBEAD9D79E0B8DB2CB0D581B930DF140069BD77440AA4F9BF4DB80784F261F57253CF3351546817238AAC81B2D68DA74884C46D514C9A9EDA
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................fd......ft......fc......ff.....Rich....................PE..L...>.@R.................*...........p.......0..............................................................................p..(.......8............>...............0...............................................0...............................text...l........................... ..hNONPAGED..... ...................... ..h.rdata.......0......................@..H.data........@......................@...PAGE.........P...................... ..`INIT.........p.......,.............. ....rsrc...8............4..............@..B.reloc..|............:..............@..B................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\uninstall_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):429
                                                                                                  Entropy (8bit):5.13651514908582
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:kWgfeVKfDFGjdCi4eGjdyE23B1047V1j47V1u477lLWNi:ZoDowvei8XRC4R94RQ4h9
                                                                                                  MD5:F42F2B0F25E41755569A7775A5C6F8BA
                                                                                                  SHA1:B630C60A3375309731B0B7AC33A9D6E12B44ED50
                                                                                                  SHA-256:F026A21D6037169A81AC862A79E4F47C674B34914C1DED36BCDDB8739C838F46
                                                                                                  SHA-512:8D9B9335D4767ACFCF651DB62B2B710CC9ECB402980D6A98982A1EA1C0A6F64FBA9762F2A44673CFE5749EE742F5FE68031FCFF968B4B4D2A290E74A0192375B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..reg delete "HKLM\SOFTWARE\Splashtop Inc.\Splashtop Remote Server" /v "BlankScreenType" /f >> inst.log..utils\devcon.exe /r remove *PNP09FF >> inst.log..utils\devcon.exe rescan >> inst.log..ver | find /i "5.1." > nul..if %errorlevel%==0 GOTO End..ver | find /i "5.2." > nul..if %errorlevel%==0 GOTO End..ver | find /i "6.0." > nul..if %errorlevel%==0 GOTO End..utils\DIFxCmd.exe /u stdpms.inf >> inst.log..:End

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\uninstall_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):447
                                                                                                  Entropy (8bit):5.223602249135668
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:kWgMyeVKfDFGjdd4eGjd0E23B1047V1j47V1u477DLWNi:Z3EDoQeiqXRC4R94RQ4P9
                                                                                                  MD5:3ADA65DC27A4580E1CF3FDC58A4A8C79
                                                                                                  SHA1:C1D8A0723FE1C586CEA434297CEF96E4E25C847D
                                                                                                  SHA-256:21D46DA2DC3808664C0D6028271BE0EEAB25DEFE60653E481238EEE96273E609
                                                                                                  SHA-512:B55E5E2CD2C1E48C526DEA70C075810F019942A72C2B0BBEF31E2DC8337B104ED5EB199AD6F0D8A16C6DFF3353193E647011A3E80762E47C9E7C13C6FCD4DBB4
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..reg delete "HKLM\SOFTWARE\Wow6432Node\Splashtop Inc.\Splashtop Remote Server" /v "BlankScreenType" /f >> inst.log..utils\devcon64.exe /r remove *PNP09FF >> inst.log..utils\devcon64.exe rescan >> inst.log..ver | find /i "5.1." > nul..if %errorlevel%==0 GOTO End..ver | find /i "5.2." > nul..if %errorlevel%==0 GOTO End..ver | find /i "6.0." > nul..if %errorlevel%==0 GOTO End..utils\DIFxCmd64.exe /u stdpms.inf >> inst.log..:End

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):9728
                                                                                                  Entropy (8bit):4.7653420469834185
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:F+0YcUgZN/zSbTyB9Bs+VC+k5JEdVMNuE:F+oUgZN/zSbTysOC+k5MVs
                                                                                                  MD5:1EF7574BC4D8B6034935D99AD884F15B
                                                                                                  SHA1:110709AB33F893737F4B0567F9495AC60C37667C
                                                                                                  SHA-256:0814AAD232C96A4661081E570CF1D9C5F09A8572CFD8E9B5D3EAD0FA0F5CA271
                                                                                                  SHA-512:947C306A3A1EEC7FCE29EAA9B8D4B5E00FD0918FE9D7A25E262D621FB3EE829D5F4829949E766A660E990D1AC14F87E13E5DBD5F7C8252AE9B2DC82E2762FB73
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jp.....V...V...V.ivV...V.igV...V.iaV...V...V&..V.iqV...V.icV...VRich...V........PE..L....zZP.............................#.......0...............................P............@...... ..........................d(..P............................@..l.......................................@............................................text............................... ..`.data...x....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10752
                                                                                                  Entropy (8bit):4.547294400796419
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:yg/LSSz/NZS+cI818WJ6TPPeqj6wnzX/bHz3coD:yg/LSSz/NZSBITOg6+D/X
                                                                                                  MD5:F512536173E386121B3EBD22AAC41A4E
                                                                                                  SHA1:74AE133215345BEAEBB7A95F969F34A40DDA922A
                                                                                                  SHA-256:A993872AD05F33CB49543C00DFCA036B32957D2BD09AAA9DAFE33B934B7A3E4A
                                                                                                  SHA-512:1EFA432EF2D61A6F7E7FC3606C5C982F1B95EABC4912EA622D533D540DDCA1A340F8A5F4652AF62A9EFC112CA82D4334E74DECF6DDBC88B0BD191060C08A63B9
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................................................Rich....................PE..d....vZP.........."...... ..........(%.......................................`.......`....@.......... ......................................4+..P............@...............P......p...................................................8............................text............ .................. ..`.data........0.......$..............@....pdata.......@.......&..............@..@.reloc..8....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):77824
                                                                                                  Entropy (8bit):4.995224286140262
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:3zrhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkA:3+KY04RMmSCYmBiF4O7WT
                                                                                                  MD5:B40FE65431B18A52E6452279B88954AF
                                                                                                  SHA1:C25DE80F00014E129FF290BF84DDF25A23FDFC30
                                                                                                  SHA-256:800E396BE60133B5AB7881872A73936E24CBEBD7A7953CEE1479F077FFCF745E
                                                                                                  SHA-512:E58CF187FD71E6F1F5CF7EAC347A2682E77BC9A88A64E79A59E1A480CAC20B46AD8D0F947DD2CB2840A2E0BB6D3C754F8F26FCF2D55B550EEA4F5D7E57A4D91D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P............@...... ..........................lm..........p....................@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):81920
                                                                                                  Entropy (8bit):4.977706172799676
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
                                                                                                  MD5:3904D0698962E09DA946046020CBCB17
                                                                                                  SHA1:EDAE098E7E8452CA6C125CF6362DDA3F4D78F0AE
                                                                                                  SHA-256:A51E25ACC489948B31B1384E1DC29518D19B421D6BC0CED90587128899275289
                                                                                                  SHA-512:C24AB680981D8D6DB042B52B7B5C5E92078DF83650CAD798874FC09CE8C8A25462E1B69340083F4BCAD20D67068668ABCFA8097E549CFA5AD4F1EE6A235D6EEA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......|.....@.......... ......................................X}..........p.......T............`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\XDColMan.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):207184
                                                                                                  Entropy (8bit):6.508603224700573
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:SJzsVxRROApObap+CPSxzqNJ3pvfsFMV2+/SRVDB:SEOb5x2NxqFMi
                                                                                                  MD5:BDF578CA45021464EB4C5F2725FADE13
                                                                                                  SHA1:17FD8DD28EBE232EDB4A7D5B4A9734D6F48212F3
                                                                                                  SHA-256:F9711EC83463C8D7D8D3C2E0493BBDD9C55D55869AD49E327CC1F0612A836B51
                                                                                                  SHA-512:611999852027F5E52A786F4C22A77AF75EE3ECB1584AC1F061100248D19AA1C45C31665A38A46604B1D489A049D3CE00EF43DA7A5E427A3A7C1A5EFA0D874526
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<..<..<..5.5.3..<.....5.3.*..5.%.B..5.4.=..5.".k..5.2.=..5.7.=..Rich<..................PE..L....N.\...........!.........v......8........................................P............@.........................@...}...\...........................P.... ......@................................T..@............................................text............................... ..`.data....>..........................@....rsrc...............................@..@.reloc.../... ...0..................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\stprintmon.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):214992
                                                                                                  Entropy (8bit):6.578816818366091
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:1yYZVBVmekQ5ncHc43wAmaxEJg3tNqYU51pQ8DfqXF7q9B24CvJ6BAQ:1y8Vf1uTHNqYUH+8GeMvJ4t
                                                                                                  MD5:DDBCBCED9CCBA27D296B680D04178B1D
                                                                                                  SHA1:5BE1EF49678E4F9250B675DFE595DF1219DD7EF9
                                                                                                  SHA-256:B23B42E24EAB4E2F1DD94711EEC741F94D39F5EBAF238820A0B9D464522C24D2
                                                                                                  SHA-512:B913058A50A4235925F208E9FA8740DDA1A070168285401FD9C9032C0CC782887F5D92A0D68796D7473E61EE8DDC1E863503C288CAD1F99C233A0DEDE37CB314
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......mX.])9r.)9r.)9r.oh...9r.oh..<9r.oh...9r. A..&9r.)9s.G9r.$k...9r.$k..(9r.$k..(9r.)9..(9r.$k..(9r.Rich)9r.........................PE..L...-..Z...........!................(C...............................................:....@.............................Y............P...............0.......`..........8...........................8...@............................................text...p........................... ..`.rdata...e.......f..................@..@.data....4..........................@....rsrc........P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdbook.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):147280
                                                                                                  Entropy (8bit):6.480280521349599
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:Sooboos//G/jWDiNza6LR07qZ2bzl409+E/PXwCSp6WKsAqHew+1l7niE:SooyFiJRmbzl4mZYYqHz+1l7iE
                                                                                                  MD5:4359D841792BD3A711065BD347503ED4
                                                                                                  SHA1:ED3DA69B4DAAEE1E3C6A35B9B22A3608C210B845
                                                                                                  SHA-256:D8BAC61DF2126D9203B3823AA40AF05FE7B6F9C5122DEBAB5F8CEADD1119773B
                                                                                                  SHA-512:F1FB6B25199CDBD0C40CCCEB069CF3DC32DEEDC2F21C67CC8C22A189115389795B435631EEA30A94EDE19331FACF475A4BD7163522D9AD0EC1DF6118D1E05EAB
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7...V..V..V..._..V..V..V...Y..V...O..V...^..V...H..V...X..V...]..V.Rich.V.........................PE..L....N.\...........!.........`.......q.......................................p......Y.....@.............................{.......x....0..............."..P....@......................................P>..@............................................text...;........................... ..`.data...@2..........................@....rsrc........0......................@..@.reloc..D$...@...&..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdnup.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):160080
                                                                                                  Entropy (8bit):6.481630469427064
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:CizpEi8PNuoyZLy39r4BRyFr8Tjqe1LP+0hORlE:CUpX8FYFyB8T2oyRa
                                                                                                  MD5:1E478E7F7D20800B958E2D1780C805F6
                                                                                                  SHA1:F166DB5211F695BA039DC81C246653EC1B25DC02
                                                                                                  SHA-256:9989C6791433F8B7FD05F4750F79F9082DBD28087948A366EA695EAC983150CD
                                                                                                  SHA-512:852EFB6AE48B3C4BAD4B8E11DC46AAA4CA37A501AFD568B469BB9ED43A27086916588F370286DD1F51834037777C4D2518310A37A469AE7BE19CFE36F08A98D3
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c....j..j..j.z...j..k...j.z...j.z....j.z...j.z....j.z...j.z...j.Rich..j.................PE..L....N.\...........!.........b......%........ .......................................r....@.............................z............`...............T..P....p.......................................C..@............................................text............................... ..`.data....2... ......................@....rsrc........`.......&..............@..@.reloc..t&...p...(...,..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdscale.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):194896
                                                                                                  Entropy (8bit):6.4942111692959354
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:0w8OfdMjstdIxIImJZDpwmw6jse70oSzhiVjkXIS1qPfb3PPqFSqQovoRe9C86/9:0w8wZDxspqPfbuSqQCoSz6/e1+1FiAx3
                                                                                                  MD5:F0FCF6CB5986E267A978A0DF86471563
                                                                                                  SHA1:214F4BB84F7A1981D30B7C4BC13C7B3E4A5CC8B3
                                                                                                  SHA-256:34E4A968A87692DA8A2EF073ADD7E19F32009709B50F7C747D1D8BF261C21CBC
                                                                                                  SHA-512:529DFD1E587BE6EA67B464C44CC7A0C1B0F6A9CD663590E7BD0083CC7A68DD8F60FC1E81E26012D71CF5C8BD5EFF4B2FB477D5DBEF3FFA1FF4136CE266B5DA6F
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c!...O..O..O.z...O..N...O.z...O.z....O.z...O.z....O.z...O.z...O.Rich..O.........PE..L....N.\...........!.........h......Z}....................................... .......g....@.............................|............... ...............P.......4... ................................M..@............................................text...<........................... ..`.data....3..........................@....rsrc... ...........................@..@.reloc...-..........................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdsmplui.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):245584
                                                                                                  Entropy (8bit):6.433639873152362
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:0w+rqKMvEZF6VPvVpb1eTjLp8D3qkTmII9b9zC+l+smDP00IPWx2Wuw:0drWgFEPNB+MPTHIWjP00Ie3
                                                                                                  MD5:FE4F22128776F52062DD8FA74D0B5075
                                                                                                  SHA1:3A15B1AD0B5D62D474319A3DB95D985B49537BF1
                                                                                                  SHA-256:EC4D01234426AAC9FF2751B209B0484769BEE97A0DC930B1B56A1743CD24B805
                                                                                                  SHA-512:163A78CB59061B4B9BE98DC763109744BBBEEDAF8B3CB7EB19A22334AC1F9223880C0E8684FEB4B363C824D9918E72E1B94D5F76AD63235F8C49ADEFC3713637
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.Cr.Cr.C{.2Cy.Cr.C..C{.4Cg.C{."C..C{.3Cs.C{.%C*.C{.5Cs.C{.0Cs.CRichr.C................PE..L....N.\...........!.........................0............................................@..........................(..k.......x........!..............P........,.. ...............................xO..@............................................text...+........................... ..`.data....@...0...$..................@....rsrc....!......."...B..............@..@.reloc...=.......>...d..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdwmark.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):238928
                                                                                                  Entropy (8bit):7.071067596161183
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:OG9NqQQHPItXExQNj+mB92u+CW5D37LnuHc45X0T5/uyFNJpfUarTtBB:99AP2b+mBQVJLnYlETtug5T
                                                                                                  MD5:2A397EFDA6D84A15B890D56D4292BA6E
                                                                                                  SHA1:F985E4893119E6C30191DE84DA25059B33F902A8
                                                                                                  SHA-256:398AEC7557E2E1DB30EFCA6FDA0D7D23940B863B396C1A4FC2BB588294F595E6
                                                                                                  SHA-512:A199C2FF26C3A3E1DA54D8386F568FA900B853FE3D3754100904EF3153CD72D672971FF72141D9AE5F5BC467D59E2DDC69856C761BBA9DA4488FC69F52A9E5E0
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................_.........B....Y......O.....^......H.....X......].....Rich....................PE..L....N.\...........!.........t...............@............................................@.........................p<..|...<1..........................P...........P................................C..@............................................text....,.......................... ..`.data...@2...@.......2..............@....rsrc................H..............@..@.reloc...*.......,...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\XDColMan.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):249168
                                                                                                  Entropy (8bit):6.2058943183487445
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:E/vPLr8AhQh4jhNgZzSNPSVlX4T1FrKT7EjUOkdny+ywlJZcWzV8TMXU7o91y4Rd:i3LIl4XgsSVloTnPYdn7lJZRZ8QXqsJ/
                                                                                                  MD5:EB8DA0234C4D7C7A58B8FB820AFB4BD2
                                                                                                  SHA1:1DED1192371D0B0BF17F5AC908A96A1499C1CABD
                                                                                                  SHA-256:88F7BDCB33CDC34B5E8834634A36E2B6A45015016C47EFE4B846A4D202326093
                                                                                                  SHA-512:789725D38C041CDC311065E7987CC7E79F9A6C00E2F3ABD37096A04F81258636AB0DA6B99F895CC80DA9F770DB0C594EB8467CCA1B77854E091F8FA18F19200D
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>.V.z`8.z`8.z`8.s...{`8.s...u`8.z`9..`8.s...s`8.s...O`8.s....`8.s...{`8.s...Y`8.s...{`8.s...{`8.Richz`8.........PE..d....N.\.........." .....H..........................................................]@....@..........................................U..}....J...................)......P.......`...@................................................................................text...-F.......H.................. ..`.data....O...`...*...L..............@....pdata...).......*...v..............@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\stprintmon.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):237008
                                                                                                  Entropy (8bit):6.30179636306813
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:B+2HsTNg3ex5PUwoEK2dvK7PnGxOkf9V3QhjTvI9Nle9owmPDXpUIJonb:BDHsT2qvoEKMAGxOkVJQhjTAEgY
                                                                                                  MD5:7DD3CA728E061F9C438209935DF41FD8
                                                                                                  SHA1:D291C17619FB2E9B8A4CF07B53A56DC60CFB4C8E
                                                                                                  SHA-256:F19F300E4623E3B57F870D8E4B150F2E70D29E6CB47750671D53667BB0804202
                                                                                                  SHA-512:E7D0AB0EB37F6B245B1EBDE46C2D9184AB801EB659E4F4ED7C2AFD07843A1646612290AD3C315EE9BF7FC1A9425B58E2A03810014DDBB621EB46B331AA2E753E
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............w..w..w...&..w...&..:w...&-.w..c.9.w..w...w..%..w..%..w..%).w..we.w..%,.w..Rich.w..................PE..d...+..Z.........." ................|N..............................................;.....`.........................................`;..Y....;..................0!..............T...@...8...............................p............................................text...[........................... ..`.rdata..............................@..@.data....?...P.......8..............@....pdata..0!......."...T..............@..@.rsrc................v..............@..@.reloc..T............~..............@..B........................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdbook.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):168784
                                                                                                  Entropy (8bit):6.240155377344884
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:l0fRIF+SwIL9Bagg2mCEPToX/ITpu0uOpDSgb2WXa+qM5F:CfaCIJbglCe1Vu0uIDSlOF
                                                                                                  MD5:77C729F857CFA38CFE4FCB18EE8F6BAD
                                                                                                  SHA1:938F96F880E824D03F1174C3D1CD56922452E5CC
                                                                                                  SHA-256:C1C016F2917B395A16936C692C35B8E6CC4C0196C26BC69AA8A686747BA690AD
                                                                                                  SHA-512:F921A945EFAD2DF95BAB6574029D6E4502A1C2D52E44550547CE2C812E8D06E8120F9EAB07F728E97F17C4949CC112F20E59938906E0F26988E4F79903BCF658
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........#U..pU..pU..p\..p^..pU..p8..p\..pT..p\..p\..p\..pe..p\..p"..p\..pT..p\..pA..p\..pT..p\..pT..pRichU..p........................PE..d....N.\.........." .....*...j......................................................w.....@.........................................`8..{.......x....................v..P...........p................................................................................text....(.......*.................. ..`.data....?...@......................@....pdata...............L..............@..@.rsrc................h..............@..@.reloc...............n..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdnup.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):187216
                                                                                                  Entropy (8bit):6.244838939180771
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:sSUAV0AVZrAVOVrHYapV5Ddr1oxkg9gh0CBEACcodM5nY+WVFGoK4:jvPb6OVrVNJ1ufqBEACjGK
                                                                                                  MD5:8E2C3434811B348F7AB9F7DEC6E95C3B
                                                                                                  SHA1:349682719857DB46E4A7EBFCEF0F85264B3116F3
                                                                                                  SHA-256:11F45D049C8FABF308944D77D17AB3FBB0A7BB5BFA143263B9EFBECA3A568EE3
                                                                                                  SHA-512:C271F2BBED3E740D771AF1A3BF684F4CB67C8F9B0D20E7D886817602F76BE8A432B05AB4E2AC8FDFCEEAA194602C81D8C9FFE6E015D224C6DC9C40F125365F5D
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4...Z...Z...Z......Z...[..Z.......Z.......Z......Z......Z.......Z......Z.......Z.......Z.Rich..Z.................PE..d....N.\.........." .....n...n....................................................... ....@.........................................0}..z....r..........................P...............................................................X............................text....m.......n.................. ..`.data....?...........r..............@....pdata........... ..................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdscale.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):244560
                                                                                                  Entropy (8bit):6.236867435454928
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:RuctDSdRbMOiymM/Cufn5B+1jowgreeTwcL:RqXMOFmA5VwgBE0
                                                                                                  MD5:61BD6282DB08405FD08C64BC00CEBF4B
                                                                                                  SHA1:EC4391249AE7247162C0D28B50ED73B1DCD11246
                                                                                                  SHA-256:A3BF8ED5ACCB8EBCA5C9A4430FA54A492E39160AE2BA51285D241D75F1743848
                                                                                                  SHA-512:DFEF9209C57E890F7D29280F6A296C5A9D1C3F496464C9EEA28DB0E1C407F2C5042DF926D442480359A120A93D8C44536C5A0C119C3AB6E7D15685F157E28DD6
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......kNgi//.://.://.:&W.: /.://.:R/.:&W.:./.:&W.:&/.:&W.:./.:&W.:W/.:&W.:./.:&W.:./.:&W.:./.:&W.:./.:Rich//.:................PE..d....N.\.........." .....>...~......`.....................................................@..........................................L..|....@.......... ........*......P............................................................................................text....=.......>.................. ..`.data....A...P... ...B..............@....pdata...*.......,...b..............@..@.rsrc... ...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdsmplui.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):333136
                                                                                                  Entropy (8bit):6.120290709944056
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:TJNLhV1jxjcVfgFf6QlJpYw4MxuiMRZI7CPdxV4eZ+PyRPP00Io:TJ1j1aVfgFiQ/ug/G1
                                                                                                  MD5:8EFFB8A42CBC831CD360E9B1BEF65D98
                                                                                                  SHA1:BA78110DA11B7C8C6432F1A128B7D9DF384AE9FD
                                                                                                  SHA-256:ECB1BCEA47422DBFD4326669AC5B2DB463088994B12008258EFF2C546237864F
                                                                                                  SHA-512:B29D4B954619355A2797A4CA88664BC9679AD1C5EB4A2FE54BAE63399DF06405969B4E2D0098AD6A7C8E0C7A2A9E19F0DE20C5B1D401D933D89D2D71F7A32789
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........f2Ji.aJi.aJi.aC..aKi.aC..aAi.aJi.a?i.aC..aCi.aC..azi.aC..a>i.aC..aKi.aC..aci.aC..aKi.aC..aKi.aRichJi.a........................PE..d....N.\.........." .....P...........N.......................................@......5C....@..........................................]..k....S..x........!.......:......P....0..........................................................P............................text...[N.......P.................. ..`.data....V...`...6...T..............@....pdata...:.......<..................@..@.rsrc....!......."..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdwmark.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):273232
                                                                                                  Entropy (8bit):6.8361644522698635
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:7j4c/JPjXOQTuGkfIpmWpnETJLnYlETtu/:7j4cBbEZTTJDY+0
                                                                                                  MD5:C52E66AE497C51CF73098D494EEBF8F0
                                                                                                  SHA1:8E7E38F30FAD35D8ED935B14FFA1BB5A9EABE4D0
                                                                                                  SHA-256:F6F7D5C20A078BE7ABD2402316A605F050388C6303D7F3ABC45F201D1FC5F1FD
                                                                                                  SHA-512:579E0DD63720B6D004FFBE6AE1686F43B70CEB8722DAC70FD06E5B06682C0F22282374D5394C06398252A2EA8163EA884239A8065EC5807DE1A9389A479CFC36
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}?...QH..QH..QH.d.H..QH..PH?.QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QHRich..QH................PE..d....N.\.........." .........................................................`............@.............................................|............0...........$......P....P......`................................................................................text............................... ..`.data....>..........................@....pdata...$.......&..................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\install_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):867
                                                                                                  Entropy (8bit):5.162389785193304
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:k8rGqwAcK/EyAZRVowyyAcK/E2kam0LYDeegidym0EZkBqq6JFpYpFSqq6JFrmp5:XrWWFwD7WR8mI/xOZE
                                                                                                  MD5:013784DA9890EAB3D914505857EDF2B7
                                                                                                  SHA1:92C9CA11174E98F65AD6898705176ED50EF55F95
                                                                                                  SHA-256:CDA5DEBA2BE6CFE1E111DF596AC08D45762A96B14AEC796C4E70F128C0734EAC
                                                                                                  SHA-512:9D71BEE329BDDA3B8EA064BB92813062D91079BA841AE50D6CC7D2AEAD27D49279D2857141C02BD5FA565D5C497E9E8E8163579A425F7C87550F1F0EFC194652
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..utils\PrnPort.exe /a >> inst.log..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /if /b "Splashtop Remote Printer" /f stprinter.inf /r "StPrinter" /m "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. reg add "HKLM\SOFTWARE\Splashtop Inc.\Splashtop Remote Server" /f /v "PrinterINFa" /t REG_SZ /d "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log.. IF NOT EXIST "%ProgramData%\Splashtop" mkdir "%ProgramData%\Splashtop".. IF NOT EXIST "%ProgramData%\Splashtop\Temp" mkdir "%ProgramData%\Splashtop\Temp".. ECHO Found "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log..)..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\install_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):879
                                                                                                  Entropy (8bit):5.190136582088596
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:k8rGqwAcK/EyAZRVowyyAcK/E2kam0LYDfyegidym0EZkBqq6JFpYpFSqq6JFrm7:XrWWFwD7WR8fCI/xOZE
                                                                                                  MD5:0A0EE03D0C51915B2815280B476530F4
                                                                                                  SHA1:6C074D8E0D462B6E6D0CC5C02BABB88D483E3551
                                                                                                  SHA-256:C3FB7578267FA09C4446C926532FD869DD8E74CD20AF2915BBEE32DB4D647C9D
                                                                                                  SHA-512:85EC5D2898892F847618D7A10D7DD680839A3D0E55603D56C5C39568E8D7B0F63F7A10BF4B063611B9ECD395BD73B89010B421ADD481CDBEF0A50B3770A9C9F8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..utils\PrnPort.exe /a >> inst.log..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /if /b "Splashtop Remote Printer" /f stprinter.inf /r "StPrinter" /m "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. reg add "HKLM\SOFTWARE\Wow6432Node\Splashtop Inc.\Splashtop Remote Server" /f /v "PrinterINFa" /t REG_SZ /d "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log.. IF NOT EXIST "%ProgramData%\Splashtop" mkdir "%ProgramData%\Splashtop".. IF NOT EXIST "%ProgramData%\Splashtop\Temp" mkdir "%ProgramData%\Splashtop\Temp".. ECHO Found "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log..)..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\p_mount.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):214
                                                                                                  Entropy (8bit):4.631936044721133
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:Hjsm6y9jcK/ES2d6y9jcKZS2bVXzLYwkrnRS2n:DWAcK/EyAcKZRVowyh
                                                                                                  MD5:88E59700F53DE95D2847B9687764BE30
                                                                                                  SHA1:CD5780DBF1C711B9C28DC001F4149BA3251BECF7
                                                                                                  SHA-256:B085F4E0D6A7A4DC967C96D7C318CB749BC497135FD9E35D7AD0C88E6C53F577
                                                                                                  SHA-512:6E7D2FD4CF87B63BAB39E225362ECBE60F52FAB0DA42C97834B8EA59D653CDBD06B98E2C490C5465B1999AF2F7869F729CBFC34E55D5ECC768D85D48B9874374
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:cd %~dp0..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /q /if /b "Splashtop Remote Printer" /f stprinter.inf /r "StPrinter" /m "Splashtop Remote Printer"

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\p_unmount.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):203
                                                                                                  Entropy (8bit):5.068283784998216
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:mKDDQFGCTWYdym6F9K2MLgZ+X0KcK/F+N7oaf/DEd7/JQF9K2MLgZ+X0KcK/FvK2:hsICTJ6y9jcK/ePD0Sy9jcK/ES2uz
                                                                                                  MD5:FA3C191799254E542687F1F5D0974BC5
                                                                                                  SHA1:DC85AAC2AA31CD3DE9017E7E099581457AD4FBF2
                                                                                                  SHA-256:347B12E6E2FC79E2A3668625341D7642D531159FFE5B01AB2BC5469E0EFC6B3F
                                                                                                  SHA-512:635689814E63084910541BA68FE8ADE8FDFBC3D0100AFD61DDD13D07E61F3478BA75E4D24AA7B26DF21A3E46C4ED2B1C8789520C5634CAC63CFE32DCB1E8686E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:@echo off....IF [%1] == [] GOTO RunDefault....rundll32 printui.dll,PrintUIEntry /q /dl /n %1..GOTO :EOF....:RunDefault...rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"...GOTO :EOF

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\stprinter.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17908
                                                                                                  Entropy (8bit):6.33935778048778
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:fNDJbjaXGStblM2wk0mev6/9IDRfupdYpJIBbIgx+4lMrp2/CsECw8nYe+PjPVhc:n3dw75xa1Sw8nYPLVhtOUez
                                                                                                  MD5:2DAC6568B843EBDC5C98598CA32918BE
                                                                                                  SHA1:E7740E4BE7F71A82ADBB6E5224D33534E237614C
                                                                                                  SHA-256:EB61A0E06BF8C69597F9BB1909E3EB4F926E49800C3F9721FDA3007993DA5EE7
                                                                                                  SHA-512:1BC8AA82E68911F5EE1835D19CF49A736C1C35C2F6B4FCD48C3C6FCF7FF6958400D1E815C5E891E172AF9035232175BB00E8A21F5A0590F02DC683F45A6C3D8B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0.E...*.H........E.0.E....1.0...`.H.e......0.)...+.....7....(.0.(.0...+.....7....."@..g.O........190419043016Z0...+.....7.....0.(*0....R0.7.B.D.E.B.D.2.1.F.7.7.9.4.E.8.9.E.A.B.D.7.8.5.2.7.7.0.F.9.C.3.C.7.E.4.2.5.0.6...1..Q08..+.....7...1*0(...F.i.l.e........x.d.b.o.o.k...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+.............w...'p....%.0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R0.9.2.2.5.D.8.6.A.4.8.9.4.8.1.5.2.D.E.3.A.F.3.4.6.4.9.1.B.8.9.3.5.7.9.2.5.3.C.A...1..G06..+.....7...1(0&...F.i.l.e........x.d.n.u.p...g.p.d...0E..+.....7...17050...+.....7.......0!0...+........."]...H.-.4d...W.S.0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R1.3.F.C.5.E.A

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\stprinter.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2793
                                                                                                  Entropy (8bit):5.507689832444162
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:JQUio6uDhMM/s4244P8/CW2T8/C0kApvgJCrC1sJCr+6pqEsXncT9tuhcOYEZ53t:JQUiRKhMostT9Ap4sr4ssraXx
                                                                                                  MD5:313535621266212971E303AF0AF4FE21
                                                                                                  SHA1:D81F9D3F7B638DE5EFCA0ECB0162A76485E2C2BF
                                                                                                  SHA-256:0B60A283CB98034CEE13118BF1F885A644479CC6F4B19D9E4D24A5FEC6064A1F
                                                                                                  SHA-512:8A1A716A2CAD85410F009EE0CDF570F4CA36E3A182927CA5B836F3FC0BEE466F0C4E8B583694A6A4014CE60C45A2439119BF0C1ADDA0ED168053E9F08A6DF608
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:[Version]..Signature="$Windows NT$"..Provider=%splashtop%..ClassGUID={4D36E979-E325-11CE-BFC1-08002BE10318}..Class=Printer..DriverVer=04/19/2019,10.0.10012.16386..CatalogFile=stprinter.cat....[Manufacturer]..%splashtop%=Vendor,NTx86,NTamd64,NTx86.6.0,NTamd64.6.0....[Vendor.NTx86]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_PRE_VISTA....[Vendor.NTamd64]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_PRE_VISTA....[Vendor.NTx86.6.0]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_VISTA....[Vendor.NTamd64.6.0]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_VISTA....[INSTALL_XDSMPL_FILTERS_PRE_VISTA]..CopyFiles=XPSDrvSample,ConfigPlugin,COLORPROFILES..DriverFile=mxdwdrv.dll..PrintProcessor="MS_XPS,filterpipelineprintproc.dll"..ConfigFile=UniDrvUI.dll..HelpFile=UniDrv.HLP..DataFile=XDSmpl.GPD..Include=NTPRINT.INF, MSXPSDRV.INF..Needs=UNIDRV.OEM, XPSGPD.OEM, XPSDRV.OEM....[INSTALL_XDSMPL_FILTERS_VISTA]..CopyFiles=XPSDrvSample,ConfigPlugin,COLORPROFILES..DriverFile=mxdwdrv.dll..Confi

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\uninstall_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2543
                                                                                                  Entropy (8bit):5.42985763446162
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:2uMRFNu4TMlWaDqFNQ29ZNlV2MK712DJNzaMR1X2kKJzgSZwlQXV2MK71euV2MKc:QFQ4ShC66ZLq7UAq7zq7o
                                                                                                  MD5:C228BF417378FD98E4229A2BA3054CAE
                                                                                                  SHA1:175CCDA93EF8EDBFAB2F1BE507F64690FE5BECE9
                                                                                                  SHA-256:1DFD5E0AD2765E39A614EF56603A749C095DDC00E6F50079CDDDA8E18159E73B
                                                                                                  SHA-512:6F9D65AA46B702E55D34532A37B33993AD53AB305679768F419A74B8CE2EF8C494CC877606C3C663545111F1189CE4456798D465C1A5EB4F7B6708DEB2A6B719
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..ECHO -- uninstall start >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found Backup [%%a] >> inst.log.. SET STPRINTERREGBAK=%STPRINTERREGBAK% %%a..)....rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..utils\DIFxCmd.exe /u stprinter.inf >> inst.log..utils\PrnPort.exe /d >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found [%%a] >> inst.log.. ::Remove cab.. del /F /Q "%WINDIR%\System32\spool\drivers\w32x86\PCC\%%a.cab" >> inst.log.. ::Remove inf.. del /S /F /Q "%WINDIR%\System32\DriverStore\FileRepository\%%a" >> inst.log.. ::Remove reg.. reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\PackageInstallation\Windows NT x86\DriverPackages\%%a" /f >> inst.log..)....::Remove all files..del /F /Q "%WINDIR%\System32\spool\drivers\w32x86\3\xdbook.dll"..del /F /Q "%

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\uninstall_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2513
                                                                                                  Entropy (8bit):5.408021383480619
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:2uMRFNu4TMlWkDqFNQ4ZNlV2MK71AynXV2MK71euV2MK7153w3uV:QFQ4SDC64ZLq7xq7zq7Z
                                                                                                  MD5:DB05A3CA2E7604DC2E29A922A4545075
                                                                                                  SHA1:0430C36BD56EAC3F65E0060CE91DC60E31F822C5
                                                                                                  SHA-256:9E0BD257BFE859F462EEE9E0F1DC20768425F73C9E90B0F7F5EE450726FBB56F
                                                                                                  SHA-512:9FDD486F4F7F5D1ED3CBEF4A2246416F88643E27E76D79A433E5450D8790BA264C3219555A0CB57602BC2E3F884C1E1449EA0688D59355D68E23DBE9499F8B60
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..ECHO -- uninstall start >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found Backup [%%a] >> inst.log.. SET STPRINTERREGBAK=%STPRINTERREGBAK% %%a..)....rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..utils\DIFxCmd64.exe /u stprinter.inf >> inst.log..utils\PrnPort.exe /d >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found [%%a] >> inst.log.. ::Remove cab.. del /F /Q "%WINDIR%\System32\spool\drivers\x64\PCC\%%a.cab" >> inst.log.. ::Remove inf.. del /S /F /Q "%WINDIR%\System32\DriverStore\FileRepository\%%a" >> inst.log.. ::Remove reg.. reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\PackageInstallation\Windows x64\DriverPackages\%%a" /f >> inst.log..)....::Remove all files..del /F /Q "%WINDIR%\System32\spool\drivers\x64\3\xdbook.dll"..del /F /Q "%WINDIR%

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):9728
                                                                                                  Entropy (8bit):4.7653420469834185
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:F+0YcUgZN/zSbTyB9Bs+VC+k5JEdVMNuE:F+oUgZN/zSbTysOC+k5MVs
                                                                                                  MD5:1EF7574BC4D8B6034935D99AD884F15B
                                                                                                  SHA1:110709AB33F893737F4B0567F9495AC60C37667C
                                                                                                  SHA-256:0814AAD232C96A4661081E570CF1D9C5F09A8572CFD8E9B5D3EAD0FA0F5CA271
                                                                                                  SHA-512:947C306A3A1EEC7FCE29EAA9B8D4B5E00FD0918FE9D7A25E262D621FB3EE829D5F4829949E766A660E990D1AC14F87E13E5DBD5F7C8252AE9B2DC82E2762FB73
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jp.....V...V...V.ivV...V.igV...V.iaV...V...V&..V.iqV...V.icV...VRich...V........PE..L....zZP.............................#.......0...............................P............@...... ..........................d(..P............................@..l.......................................@............................................text............................... ..`.data...x....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10752
                                                                                                  Entropy (8bit):4.547294400796419
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:yg/LSSz/NZS+cI818WJ6TPPeqj6wnzX/bHz3coD:yg/LSSz/NZSBITOg6+D/X
                                                                                                  MD5:F512536173E386121B3EBD22AAC41A4E
                                                                                                  SHA1:74AE133215345BEAEBB7A95F969F34A40DDA922A
                                                                                                  SHA-256:A993872AD05F33CB49543C00DFCA036B32957D2BD09AAA9DAFE33B934B7A3E4A
                                                                                                  SHA-512:1EFA432EF2D61A6F7E7FC3606C5C982F1B95EABC4912EA622D533D540DDCA1A340F8A5F4652AF62A9EFC112CA82D4334E74DECF6DDBC88B0BD191060C08A63B9
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................................................Rich....................PE..d....vZP.........."...... ..........(%.......................................`.......`....@.......... ......................................4+..P............@...............P......p...................................................8............................text............ .................. ..`.data........0.......$..............@....pdata.......@.......&..............@..@.reloc..8....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\PrnPort.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):7680
                                                                                                  Entropy (8bit):5.202360830491015
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:6HbQ34Dthj/wKzGMdCprD4iZ7F+gUABoTndoIvJJGtVAm6XyC7tCEqqb:6Hs4thgNDZ7F+gvqdHvJJ4VR6XPnb
                                                                                                  MD5:B6CA717203EF9E8DD1205CAC5D3AF38F
                                                                                                  SHA1:818438149A92551042A5D2ABD9000DBE67D93C67
                                                                                                  SHA-256:66986A04FDEF120D7F18351648A8737979DFAA3CA82F6504B3EA14F45BEC130C
                                                                                                  SHA-512:99D21F55B7E754A2D6063BE9302874D757344893CB496F574C2DB7F124071C361894508BADF7137B17A572EF9792F7E3B3C21292250D76CD33B9863D52A300D6
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8..|..|..|..u.!.}..u.7.i..u.0.~..u.'.{..|..W..u.>.~..u.%.}..Rich|..................PE..L.....8R..................................... ....@..........................`......q.....@.................................."..P....@.......................P..T.... ...............................!..@............ ...............................text...>........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\XDColMan.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):216416
                                                                                                  Entropy (8bit):6.5890891928333435
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:8JzsVxRROApObap+CPSxzqNJ3pvfsFMV2+/SRVxy8iK:8EOb5x2NxqFMaP
                                                                                                  MD5:D57E38A511B607A79307F6966D5F862A
                                                                                                  SHA1:7F66DC176D9BDE0715A9050CAD9BA91785F7B192
                                                                                                  SHA-256:EF3A7B03F011CBAD96F503BF12BD151B97BAE1EACC700A7F352D175CCFDDB969
                                                                                                  SHA-512:72DF85067747090A20441F052796F5BCED00B4F8268568F14646A0C5A0CCD27DC87C9AFEEC689178F885CEDEE0636D61F238F36348F66E7D2EE940D09130C2C1
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<..<..<..5.5.3..<.....5.3.*..5.%.B..5.4.=..5.".k..5.2.=..5.7.=..Rich<..................PE..L....N.\...........!.........v......8........................................P......R.....@.........................@...}...\...........................`A... ......@................................T..@............................................text............................... ..`.data....>..........................@....rsrc...............................@..@.reloc.../... ...0..................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\stprintmon.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):214992
                                                                                                  Entropy (8bit):6.578816818366091
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:1yYZVBVmekQ5ncHc43wAmaxEJg3tNqYU51pQ8DfqXF7q9B24CvJ6BAQ:1y8Vf1uTHNqYUH+8GeMvJ4t
                                                                                                  MD5:DDBCBCED9CCBA27D296B680D04178B1D
                                                                                                  SHA1:5BE1EF49678E4F9250B675DFE595DF1219DD7EF9
                                                                                                  SHA-256:B23B42E24EAB4E2F1DD94711EEC741F94D39F5EBAF238820A0B9D464522C24D2
                                                                                                  SHA-512:B913058A50A4235925F208E9FA8740DDA1A070168285401FD9C9032C0CC782887F5D92A0D68796D7473E61EE8DDC1E863503C288CAD1F99C233A0DEDE37CB314
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......mX.])9r.)9r.)9r.oh...9r.oh..<9r.oh...9r. A..&9r.)9s.G9r.$k...9r.$k..(9r.$k..(9r.)9..(9r.$k..(9r.Rich)9r.........................PE..L...-..Z...........!................(C...............................................:....@.............................Y............P...............0.......`..........8...........................8...@............................................text...p........................... ..`.rdata...e.......f..................@..@.data....4..........................@....rsrc........P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdbook.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):156512
                                                                                                  Entropy (8bit):6.590357914627137
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:Wooboos//G/jWDiNza6LR07qZ2bzl409+E/PXwCSp6WKsAqHew+1l7nkrZg8iE:WooyFiJRmbzl4mZYYqHz+1l7ki8iE
                                                                                                  MD5:C892519FE8AE2163C1368579EEC134F3
                                                                                                  SHA1:D5C75AABEDAD20373E7CA40CAF5C986C850974BE
                                                                                                  SHA-256:B8C8B0F1DB2CEA6FAB3EEE350143BC677DA3A1E4B246325852B8A0B94A4A77D4
                                                                                                  SHA-512:7A2C0C78237E8528AD691D2F7377D33FFCCA06925359CAD0B787DF919A81EDDCB9296F1EE446BDE83CECF3520A070E72BE7956838BD1337987B422127121E093
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7...V..V..V..._..V..V..V...Y..V...O..V...^..V...H..V...X..V...]..V.Rich.V.........................PE..L....N.\...........!.........`.......q.......................................p......(.....@.............................{.......x....0..............."..`A...@......................................P>..@............................................text...;........................... ..`.data...@2..........................@....rsrc........0......................@..@.reloc..D$...@...&..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdnup.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):169312
                                                                                                  Entropy (8bit):6.584431984131001
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:XizpEi8PNuoyZLy39r4BRyFr8Tjqe1LP+0hORTj8i0K:XUpX8FYFyB8T2oyREtK
                                                                                                  MD5:4FFADA79BA20A933429F72D3B8CF61D9
                                                                                                  SHA1:77E7346EF7E7A31A8000150B4B0E4B21CA3BF381
                                                                                                  SHA-256:0FF6DD54C4DC7368BD7BAEFFA8CBD294DB31AA318F8F0FBD9088C15B61EB8854
                                                                                                  SHA-512:839ABEBEF1A76D168043C8DDFB6B8DF958CA89C3DF602B5B538EB6398332E785C4B0359CB6DF557252BD1191BCAC5C1E1AED6942D2848B5C898BA2FC8EF8D0B7
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c....j..j..j.z...j..k...j.z...j.z....j.z...j.z....j.z...j.z...j.Rich..j.................PE..L....N.\...........!.........b......%........ ......................................O.....@.............................z............`...............T..`A...p.......................................C..@............................................text............................... ..`.data....2... ......................@....rsrc........`.......&..............@..@.reloc..t&...p...(...,..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdscale.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):204128
                                                                                                  Entropy (8bit):6.5795919533739005
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:9w8wZDxspqPfbuSqQCoSz6/e1+1FiATl8i9:fw3owojmVW0
                                                                                                  MD5:B4AD99DFCCB67C77F6C8E142EE5AD5BA
                                                                                                  SHA1:D10B7BE8A5C339185B8E409D4C0BE2103230BAA0
                                                                                                  SHA-256:5A280F84B70F41D90B122DBC8E8FCBDA414353CC5C87580FA30B3B51B7696207
                                                                                                  SHA-512:EEBC321D90737E161B452D6E27398D1CC1D4737DBE90F7FE5C407C1732178E30CD87228FB0C8B6C6F3B118DC7E46985D231F3059996452861BFCA1AD4A098077
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c!...O..O..O.z...O..N...O.z...O.z....O.z...O.z....O.z...O.z...O.Rich..O.........PE..L....N.\...........!.........h......Z}....................................... .......-....@.............................|............... ...............`A......4... ................................M..@............................................text...<........................... ..`.data....3..........................@....rsrc... ...........................@..@.reloc...-..........................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdsmplui.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):254816
                                                                                                  Entropy (8bit):6.5058723884762335
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:kw+rqKMvEZF6VPvVpb1eTjLp8D3qkTmII9b9zC+l+smDP00IPWx2wUj8ii:kdrWgFEPNB+MPTHIWjP00IedH
                                                                                                  MD5:BB8D8CE6F052BE2BA3A39768528B88C6
                                                                                                  SHA1:0C2D48F22C7231C52C9FDDD35120E971ABA05EC4
                                                                                                  SHA-256:B61BA88D2BB36A0A56F00C455BBC530703415F176B5715E9D24FAB82CC935140
                                                                                                  SHA-512:EF3CED636733BCF45CE4E1D21D33F50945D6FFE2A5478A19D538A30C3071E5F78D539B0E3718EEAF404614EEE182E60AE3697E499C0D7EC769D272CD5B58CCA9
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.Cr.Cr.C{.2Cy.Cr.C..C{.4Cg.C{."C..C{.3Cs.C{.%C*.C{.5Cs.C{.0Cs.CRichr.C................PE..L....N.\...........!.........................0.......................................l....@..........................(..k.......x........!..............`A.......,.. ...............................xO..@............................................text...+........................... ..`.data....@...0...$..................@....rsrc....!......."...B..............@..@.reloc...=.......>...d..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdwmark.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):248160
                                                                                                  Entropy (8bit):7.1098745205591625
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:AG9NqQQHPItXExQNj+mB92u+CW5D37LnuHc45X0T5/uyFNJpfUarTtvU8il:f9AP2b+mBQVJLnYlETtug5jw
                                                                                                  MD5:62945189F63210AFE22EC07C93A323C2
                                                                                                  SHA1:ADEE11D641B6BC9E9F46B95388680D291C795A33
                                                                                                  SHA-256:DD36F7448202BB06C634DD18F911B830615B61E9849900C7DCD92B1157F2C671
                                                                                                  SHA-512:B62D7E7668F2E02330690D373EFB815FBBBD12E771FDB4EA46EDA8386AB8A969DB40158132F8C15ACA65C87CDF8920D46075055BB9B73DF42FD49777DF7EB6BD
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................_.........B....Y......O.....^......H.....X......].....Rich....................PE..L....N.\...........!.........t...............@............................................@.........................p<..|...<1..........................`A..........P................................C..@............................................text....,.......................... ..`.data...@2...@.......2..............@....rsrc................H..............@..@.reloc...*.......,...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\XDColMan.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):258400
                                                                                                  Entropy (8bit):6.288592681682295
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:I3LIl4XgsSVloTnPYdn7lJZRZ8QXqsJ3H+:IUlJVmgh5asJ3+
                                                                                                  MD5:372C4A2430E2BF3E0A3C0D51996ADEA5
                                                                                                  SHA1:F6F2F8D750D08BE940AE2B655804C106E9C7491D
                                                                                                  SHA-256:FE632C826ABA5F694DE6684506B72BDECBFD712E9DE2ACDDDE1F2C880EE2646B
                                                                                                  SHA-512:C017A180893D39463068DA5DF647D959603CEE7979CA420963FEF9D09309FCA0B744D7268DC2A0FC4AFCD41F912714CF14003CC9AC5FB6A033AA91962E9981C3
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>.V.z`8.z`8.z`8.s...{`8.s...u`8.z`9..`8.s...s`8.s...O`8.s....`8.s...{`8.s...Y`8.s...{`8.s...{`8.Richz`8.........PE..d....N.\.........." .....H................................................................@..........................................U..}....J...................)......`A......`...@................................................................................text...-F.......H.................. ..`.data....O...`...*...L..............@....pdata...).......*...v..............@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\stprintmon.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):237008
                                                                                                  Entropy (8bit):6.30179636306813
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:B+2HsTNg3ex5PUwoEK2dvK7PnGxOkf9V3QhjTvI9Nle9owmPDXpUIJonb:BDHsT2qvoEKMAGxOkVJQhjTAEgY
                                                                                                  MD5:7DD3CA728E061F9C438209935DF41FD8
                                                                                                  SHA1:D291C17619FB2E9B8A4CF07B53A56DC60CFB4C8E
                                                                                                  SHA-256:F19F300E4623E3B57F870D8E4B150F2E70D29E6CB47750671D53667BB0804202
                                                                                                  SHA-512:E7D0AB0EB37F6B245B1EBDE46C2D9184AB801EB659E4F4ED7C2AFD07843A1646612290AD3C315EE9BF7FC1A9425B58E2A03810014DDBB621EB46B331AA2E753E
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............w..w..w...&..w...&..:w...&-.w..c.9.w..w...w..%..w..%..w..%).w..we.w..%,.w..Rich.w..................PE..d...+..Z.........." ................|N..............................................;.....`.........................................`;..Y....;..................0!..............T...@...8...............................p............................................text...[........................... ..`.rdata..............................@..@.data....?...P.......8..............@....pdata..0!......."...T..............@..@.rsrc................v..............@..@.reloc..T............~..............@..B........................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdbook.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):178016
                                                                                                  Entropy (8bit):6.354805848687379
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:X0fRIF+SwIL9Bagg2mCEPToX/ITpu0uOpDSgb2WXa+qubG8iu:EfaCIJbglCe1Vu0uIDSlWtf
                                                                                                  MD5:D16039589730B0C6E6B5227C041FB1B4
                                                                                                  SHA1:F8F942DBB62CBC15F7ED0BE8750C9C564638FBF8
                                                                                                  SHA-256:ACA0DF6F5EB1DE40506943B30BBDA614F886523C093F5C9A3587C3E1161F0DF0
                                                                                                  SHA-512:35ED0D4AD06E4979970CA2AD58B81735E50AAB755605216BB059EBE698B82F6C627F5F7E29ADC9FB3BC58C7EFB4E8ACA2B323F2E2813D4EA7EE39363DE0E1D64
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........#U..pU..pU..p\..p^..pU..p8..p\..pT..p\..p\..p\..pe..p\..p"..p\..pT..p\..pA..p\..pT..p\..pT..pRichU..p........................PE..d....N.\.........." .....*...j......................................................K.....@.........................................`8..{.......x....................v..`A..........p................................................................................text....(.......*.................. ..`.data....?...@......................@....pdata...............L..............@..@.rsrc................h..............@..@.reloc...............n..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdnup.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):196448
                                                                                                  Entropy (8bit):6.349185940783631
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:lSUAV0AVZrAVOVrHYapV5Ddr1oxkg9gh0CBEACcodM5nY+WVFGoEM8ip:AvPb6OVrVNJ1ufqBEACjG/Y
                                                                                                  MD5:A88901EB863EC013B461A84DACB4C795
                                                                                                  SHA1:40303F44732A2C8DBEAF4EC13CD32FCED66D8F8A
                                                                                                  SHA-256:FF295F8914F76DFE707455FE633BFC42B805BB4D3274C2290E1E5D56A383E969
                                                                                                  SHA-512:92BD7F2CE6DB83A744972503B4352ADC210FE10C0BDC026F953A925361365E95B79A4A1CEF3677266AE7178FAC24AA64A353115362E987F1DFD84BA38A6F9B25
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4...Z...Z...Z......Z...[..Z.......Z.......Z......Z......Z.......Z......Z.......Z.......Z.Rich..Z.................PE..d....N.\.........." .....n...n...........................................................@.........................................0}..z....r..........................`A..............................................................X............................text....m.......n.................. ..`.data....?...........r..............@....pdata........... ..................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdscale.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):253792
                                                                                                  Entropy (8bit):6.319719994714089
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:NuctDSdRbMOiymM/Cufn5B+1jowgreeTwcV1:NqXMOFmA5VwgBEg1
                                                                                                  MD5:668A98269B12A2C17E39137AC8D7B716
                                                                                                  SHA1:E438E9031338158FE70B9D7821200DC4929380CA
                                                                                                  SHA-256:200D323E0842ABC93E22F6D475928AB0DAC6AA9F3824CF8E729E8049852AC54A
                                                                                                  SHA-512:E2E425489A084022AE23AF65D4869B24A247E3159DA5ED4E31B0CDB11C0BE30AF9EEA12ECF68F9C8269B60ECC1BB489F3EFDE00F4F8885AA2631EFAB3E54BCBC
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......kNgi//.://.://.:&W.: /.://.:R/.:&W.:./.:&W.:&/.:&W.:./.:&W.:W/.:&W.:./.:&W.:./.:&W.:./.:&W.:./.:Rich//.:................PE..d....N.\.........." .....>...~......`................................................8....@..........................................L..|....@.......... ........*......`A...........................................................................................text....=.......>.................. ..`.data....A...P... ...B..............@....pdata...*.......,...b..............@..@.rsrc... ...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdsmplui.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):342368
                                                                                                  Entropy (8bit):6.187004427741537
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:T7NLhV1jxjcVfgFf6QlJpYw4MxuiMRZI7CPdxV4eZ+PyRPP00I7Q:T71j1aVfgFiQ/ug/GMQ
                                                                                                  MD5:96BDC666BCD7D432D6C7D4170C8E6046
                                                                                                  SHA1:1B705A191731ECA3369435D9906C8275C5D326C2
                                                                                                  SHA-256:DC4C32919B533A79D9EA76BDE59975DD149AA9C7B7278B076019C080A3A97C56
                                                                                                  SHA-512:DDD9E42633F98A7E5F6F7E3E4571815F9D80EA16084B23A82DBE22E929FD6F0BD791EB3DFA7BB229D73D101C66077C99FE47A5CEAB1DF6917A6E4DF209853162
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........f2Ji.aJi.aJi.aC..aKi.aC..aAi.aJi.a?i.aC..aCi.aC..azi.aC..a>i.aC..aKi.aC..aci.aC..aKi.aC..aKi.aRichJi.a........................PE..d....N.\.........." .....P...........N.......................................@......~d....@..........................................]..k....S..x........!.......:......`A...0..........................................................P............................text...[N.......P.................. ..`.data....V...`...6...T..............@....pdata...:.......<..................@..@.rsrc....!......."..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdwmark.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):282464
                                                                                                  Entropy (8bit):6.880530047125276
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:tj4c/JPjXOQTuGkfIpmWpnETJLnYlETtuwv:tj4cBbEZTTJDY+jv
                                                                                                  MD5:F26D954E0F23049CAA4F698934DB5371
                                                                                                  SHA1:B0FC39DFF9871778A767B95F0D1CD6E56F939071
                                                                                                  SHA-256:186500D4E31ADF5FA2DC02F112EDE6FCA86C1BC48731EA224CFE83C160ABD1CD
                                                                                                  SHA-512:BF79667EC9E85FCC6214BB8B3352DCF4B43A042708F471C293B507574A446D938C4E5981C6E9FA4E81AF98A91B6A72CB678F06B91E064F3FCA48744DC0DFF94F
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}?...QH..QH..QH.d.H..QH..PH?.QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QHRich..QH................PE..d....N.\.........." .........................................................`...........@.............................................|............0...........$......`A...P......`................................................................................text............................... ..`.data....>..........................@....pdata...$.......&..................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\install_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):870
                                                                                                  Entropy (8bit):5.164710229415834
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:kcrGqwAcK/EyAZRVowyyAcK/E2kam0LYDeegidym0EZkBqq6JFpYpFSqq6JFrmp5:BrWWFwD7WR8mI/xOZE
                                                                                                  MD5:50B0957220D10275274CAC025EAA6883
                                                                                                  SHA1:8F677ED1CD73A05F634AA06AD6BED1DA4C6BD80F
                                                                                                  SHA-256:B76D74AEC705A3F9FD055307A966777ADB279FB06D03524C992E608FE73AEB22
                                                                                                  SHA-512:C62DAAC3AC516500D819718BF5697D948B6EB684276A21A80E6E9C26FE5F1D0593D7FE281702D3BC48D2A1897B0EB7BD910CEE0978950C0F6636FB86E72B6BD3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....\utils\PrnPort.exe /a >> inst.log..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /if /b "Splashtop Remote Printer" /f stprinter.inf /r "StPrinter" /m "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. reg add "HKLM\SOFTWARE\Splashtop Inc.\Splashtop Remote Server" /f /v "PrinterINFa" /t REG_SZ /d "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log.. IF NOT EXIST "%ProgramData%\Splashtop" mkdir "%ProgramData%\Splashtop".. IF NOT EXIST "%ProgramData%\Splashtop\Temp" mkdir "%ProgramData%\Splashtop\Temp".. ECHO Found "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log..)..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\install_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):882
                                                                                                  Entropy (8bit):5.192332970304343
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:kcrGqwAcK/EyAZRVowyyAcK/E2kam0LYDfyegidym0EZkBqq6JFpYpFSqq6JFrm7:BrWWFwD7WR8fCI/xOZE
                                                                                                  MD5:16BBC22B18C5325649C98DD02F3DDDBF
                                                                                                  SHA1:B6F97171D20CBC84DEDB07C304F92B25B5A08450
                                                                                                  SHA-256:8C3BED319076C7B27FB5D9CD7DCE31E8EE09624E191BC3D709962426FB12951A
                                                                                                  SHA-512:293E8BF93A22021FD80AA95A30965287BF40F5030DA457BC16D004E86C3B3FF8983DA8C0D743A42F1CBF935A2EB8E1CB5FCB488914B51330686B2C60BD1C71B9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....\utils\PrnPort.exe /a >> inst.log..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /if /b "Splashtop Remote Printer" /f stprinter.inf /r "StPrinter" /m "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. reg add "HKLM\SOFTWARE\Wow6432Node\Splashtop Inc.\Splashtop Remote Server" /f /v "PrinterINFa" /t REG_SZ /d "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log.. IF NOT EXIST "%ProgramData%\Splashtop" mkdir "%ProgramData%\Splashtop".. IF NOT EXIST "%ProgramData%\Splashtop\Temp" mkdir "%ProgramData%\Splashtop\Temp".. ECHO Found "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log..)..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\p_mount.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):214
                                                                                                  Entropy (8bit):4.631936044721133
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:Hjsm6y9jcK/ES2d6y9jcKZS2bVXzLYwkrnRS2n:DWAcK/EyAcKZRVowyh
                                                                                                  MD5:88E59700F53DE95D2847B9687764BE30
                                                                                                  SHA1:CD5780DBF1C711B9C28DC001F4149BA3251BECF7
                                                                                                  SHA-256:B085F4E0D6A7A4DC967C96D7C318CB749BC497135FD9E35D7AD0C88E6C53F577
                                                                                                  SHA-512:6E7D2FD4CF87B63BAB39E225362ECBE60F52FAB0DA42C97834B8EA59D653CDBD06B98E2C490C5465B1999AF2F7869F729CBFC34E55D5ECC768D85D48B9874374
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:cd %~dp0..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /q /if /b "Splashtop Remote Printer" /f stprinter.inf /r "StPrinter" /m "Splashtop Remote Printer"

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\p_unmount.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):203
                                                                                                  Entropy (8bit):5.068283784998216
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:mKDDQFGCTWYdym6F9K2MLgZ+X0KcK/F+N7oaf/DEd7/JQF9K2MLgZ+X0KcK/FvK2:hsICTJ6y9jcK/ePD0Sy9jcK/ES2uz
                                                                                                  MD5:FA3C191799254E542687F1F5D0974BC5
                                                                                                  SHA1:DC85AAC2AA31CD3DE9017E7E099581457AD4FBF2
                                                                                                  SHA-256:347B12E6E2FC79E2A3668625341D7642D531159FFE5B01AB2BC5469E0EFC6B3F
                                                                                                  SHA-512:635689814E63084910541BA68FE8ADE8FDFBC3D0100AFD61DDD13D07E61F3478BA75E4D24AA7B26DF21A3E46C4ED2B1C8789520C5634CAC63CFE32DCB1E8686E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:@echo off....IF [%1] == [] GOTO RunDefault....rundll32 printui.dll,PrintUIEntry /q /dl /n %1..GOTO :EOF....:RunDefault...rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"...GOTO :EOF

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\stprinter.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19851
                                                                                                  Entropy (8bit):6.774813122930257
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:UelM68cpgw3otOCxH50u4RkeelMpSfpd/CJHJ2elMSJfApwtNJKGT1hvJNMvIqvQ:EWtO5smIwg9Zh3q8pUclGNbc
                                                                                                  MD5:1D56A3F8D7F5DAB184A8CC4FEDDAA173
                                                                                                  SHA1:75D291CB96FDC05D54C962F1CB08796EE439B22F
                                                                                                  SHA-256:84E1A32B4975E92477CF6A36D8931921DA735EF988E0C09A2B056F2904541B1E
                                                                                                  SHA-512:FB58167A98D9309A703F06D5C6414AB707B37E90A26BFC1C0812B10381C116FA6C7C26AC30FC8570B8F87186775BC64E7AF6D409A7D213FC3B4B76B0B7A76FB6
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0.M...*.H........Mx0.Mt...1.0...`.H.e......0.)...+.....7....).0.).0...+.....7.......m...G..|.O.p...190419044412Z0...+.....7.....0.(.0.... ....z.sXce...j.....Z.j.R...Z.#/.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........x.d.s.m.p.l.u.i...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ....z.sXce...j.....Z.j.R...Z.#/.0.........w...'p....%.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...08..+.....7...1*0(...F.i.l.e........x.d.b.o.o.k...d.l.l...0.... ...v...f..t..t........n.....d.*1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........x.d.w.s.c.r.g.b...i.c.c...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ...v...f..t..t........n.....d.*0.... ..T...x....0.DU._........z.^...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........x.d.p.g.s.c.l...g.p.d...0U..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\stprinter.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2793
                                                                                                  Entropy (8bit):5.507689832444162
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:JQUio6uDhMM/s4244P8/CW2T8/C0kApvgJCrC1sJCr+6pqEsXncT9tuhcOYEZ53t:JQUiRKhMostT9Ap4sr4ssraXx
                                                                                                  MD5:313535621266212971E303AF0AF4FE21
                                                                                                  SHA1:D81F9D3F7B638DE5EFCA0ECB0162A76485E2C2BF
                                                                                                  SHA-256:0B60A283CB98034CEE13118BF1F885A644479CC6F4B19D9E4D24A5FEC6064A1F
                                                                                                  SHA-512:8A1A716A2CAD85410F009EE0CDF570F4CA36E3A182927CA5B836F3FC0BEE466F0C4E8B583694A6A4014CE60C45A2439119BF0C1ADDA0ED168053E9F08A6DF608
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:[Version]..Signature="$Windows NT$"..Provider=%splashtop%..ClassGUID={4D36E979-E325-11CE-BFC1-08002BE10318}..Class=Printer..DriverVer=04/19/2019,10.0.10012.16386..CatalogFile=stprinter.cat....[Manufacturer]..%splashtop%=Vendor,NTx86,NTamd64,NTx86.6.0,NTamd64.6.0....[Vendor.NTx86]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_PRE_VISTA....[Vendor.NTamd64]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_PRE_VISTA....[Vendor.NTx86.6.0]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_VISTA....[Vendor.NTamd64.6.0]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_VISTA....[INSTALL_XDSMPL_FILTERS_PRE_VISTA]..CopyFiles=XPSDrvSample,ConfigPlugin,COLORPROFILES..DriverFile=mxdwdrv.dll..PrintProcessor="MS_XPS,filterpipelineprintproc.dll"..ConfigFile=UniDrvUI.dll..HelpFile=UniDrv.HLP..DataFile=XDSmpl.GPD..Include=NTPRINT.INF, MSXPSDRV.INF..Needs=UNIDRV.OEM, XPSGPD.OEM, XPSDRV.OEM....[INSTALL_XDSMPL_FILTERS_VISTA]..CopyFiles=XPSDrvSample,ConfigPlugin,COLORPROFILES..DriverFile=mxdwdrv.dll..Confi

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\uninstall_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2561
                                                                                                  Entropy (8bit):5.431790187193416
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:2uMRFNu4TMlWoDqFNQ29ZNlV2MK712DJNzaMR1X2kKJzgSZwlQXV2MK71euV2MKo:QFQ4SDC66ZLq7UAq7zq7E
                                                                                                  MD5:AD8561D2E73AFD63F5A088972D435467
                                                                                                  SHA1:FA7F53A308C00B0C5E1ACE95489658840EAF13A3
                                                                                                  SHA-256:68C4AF8BB6C4FB75CFA95739DF4E3B288DBBFB141E6851275E2F9EFFCA893015
                                                                                                  SHA-512:AA240EFD0EFD508CE48D444997E65DE8A36DE321764196C294F1366A77C3D30AEA6BF31AF53C7644BD3D027284B266D06D0B574E69598D50D44005718F3F2178
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..ECHO -- uninstall start >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found Backup [%%a] >> inst.log.. SET STPRINTERREGBAK=%STPRINTERREGBAK% %%a..)....rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"....\utils\DIFxCmd.exe /u stprinter.inf >> inst.log....\utils\PrnPort.exe /d >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found [%%a] >> inst.log.. ::Remove cab.. del /F /Q "%WINDIR%\System32\spool\drivers\w32x86\PCC\%%a.cab" >> inst.log.. ::Remove inf.. del /S /F /Q "%WINDIR%\System32\DriverStore\FileRepository\%%a" >> inst.log.. ::Remove reg.. reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\PackageInstallation\Windows NT x86\DriverPackages\%%a" /f >> inst.log..)....::Remove all files..del /F /Q "%WINDIR%\System32\spool\drivers\w32x86\3\xdbook.dll"..del /F

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\uninstall_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2519
                                                                                                  Entropy (8bit):5.407961236238507
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:2uMRFNu4TMlWSDqFNQ4ZNlV2MK71AynXV2MK71euV2MK7153w3uV:QFQ4SJC64ZLq7xq7zq7Z
                                                                                                  MD5:5FD0095B7389DBEDA4EC394C06AC4657
                                                                                                  SHA1:7C5D1C3E2B062F6E993AB34292749B03FD7007A8
                                                                                                  SHA-256:692FE4C899554BBFA0A05A0183F46C23A24E48FB4371DC0863B7A24452FE5252
                                                                                                  SHA-512:F38926653AF960FE11AD843E7C89BB9DC62C29225D2DF10B0CA9BA4F668637BE053778EE726F42A2DC76FA801593A08A69DE4CDEFCB9BE037CA094D34773A8D6
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..ECHO -- uninstall start >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found Backup [%%a] >> inst.log.. SET STPRINTERREGBAK=%STPRINTERREGBAK% %%a..)....rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"....\utils\DIFxCmd64.exe /u stprinter.inf >> inst.log....\utils\PrnPort.exe /d >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found [%%a] >> inst.log.. ::Remove cab.. del /F /Q "%WINDIR%\System32\spool\drivers\x64\PCC\%%a.cab" >> inst.log.. ::Remove inf.. del /S /F /Q "%WINDIR%\System32\DriverStore\FileRepository\%%a" >> inst.log.. ::Remove reg.. reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\PackageInstallation\Windows x64\DriverPackages\%%a" /f >> inst.log..)....::Remove all files..del /F /Q "%WINDIR%\System32\spool\drivers\x64\3\xdbook.dll"..del /F /Q "%W

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdCMYKPrinter.icc

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Microsoft color profile 2.2, type lino, CMYK/Lab-prtr device by MSFT, 849080 bytes, 10-5-2006 15:02:14 "Created by Microsoft WCS from DMP: CMYKPrinter.cdmp, CAMP: Default sRGB monitor, and GMMP: Default Gamut Map Model Profile f"
                                                                                                  Category:dropped
                                                                                                  Size (bytes):849080
                                                                                                  Entropy (8bit):6.924819797081704
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:nupHTMj2vkdYa+kYfwx+rbgal21W0M5SU1yr2U5fOFQw8LHxrLiYJVarTH46xL1F:upgavkz+UIUBRm020G7
                                                                                                  MD5:8EE08E7B69A5F2ECA6BB3A5EEDB48649
                                                                                                  SHA1:FF7CFA21BDCB220EC0450E76A1C2AB0854CAEBD6
                                                                                                  SHA-256:2B215C1FA5CAA10582BDAFE6B51A911C9D8B2B0B456EEEFF955064FDC3844D98
                                                                                                  SHA-512:12AEA33F800D5203811DE1FFA1181BD1B8A58C54BD52A9D2BF7A4084CC2BBC52C9E74E9434C41C6B1EB2CA451E81D5E11B3CE6B827BA4B0F14927EB4FAD62FF0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:....lino. ..prtrCMYKLab ............acspMSFT...................................-MSFT................................................desc........cprt.......1wtpt...,....A2B0...@....B2A0........A2B1...@....A2B2...@....B2A1........B2A2........gamt..^.....MS00...P..gfdesc........Created by Microsoft WCS from DMP: CMYKPrinter.cdmp, CAMP: Default sRGB monitor, and GMMP: Default Gamut Map Model Profile for photos...enUS....C.r.e.a.t.e.d. .b.y. .M.i.c.r.o.s.o.f.t. .W.C.S. .f.r.o.m. .D.M.P.:. .C.M.Y.K.P.r.i.n.t.e.r...c.d.m.p.,. .C.A.M.P.:. .D.e.f.a.u.l.t. .s.R.G.B. .m.o.n.i.t.o.r.,. .a.n.d. .G.M.M.P.:. .D.e.f.a.u.l.t. .G.a.m.u.t. .M.a.p. .M.o.d.e.l. .P.r.o.f.i.l.e. .f.o.r. .p.h.o.t.o.s...........................................................................text....Copyright (c) 2004 Microsoft Corporation....XYZ .......c........mft2................................................................................................................ !!""##$$%%&&''(())**++,,--..//00112233445566778899

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdbook.gpd

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1808
                                                                                                  Entropy (8bit):4.525972600570173
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:FCDZkHSs9/9QltHlRIORmRCjR73RpRvrmRCgORmRCjR73RpRS:sDuH87FRDRmRCjRrRpRvrmRCbRmRCjRI
                                                                                                  MD5:9303837EFF41196B0FC3D6AD46FE43AF
                                                                                                  SHA1:9AFBCA730F3A98C5C43AC1AF156BCD6C3CE366E5
                                                                                                  SHA-256:ABD2E8A90B9949D61DF21DF88AED7040542555A0228BB0B375439F8488A06294
                                                                                                  SHA-512:9F8C9956CEB14B7A275B346A48A1C010DEB23D94BAB4E0FFD395D23B5573533EB80630092CA6A458D33762E55C260752CA294B5E0632179ECC18F17A0B961D55
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdbook.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver Booklet specific GPD settings...*%....*%******************************************************************************..*% JobBindAllDocuments..*%******************************************************************************..*Feature: JobBindAllDocuments..{.. *rcNameID: =IDS_GPD_JOBBINDING.. *DefaultOption: None.... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. }.... *Option: BindLeft.. {.. *rcNameID: =IDS_GPD_LTOR.. }.... *Option: BindRight.. {.. *rcNameID: =IDS_GPD_RTOL.. }.... *Option:

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdcolman.gpd

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2718
                                                                                                  Entropy (8bit):4.658165462032682
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:FCDZkHSs9/9xmSx8iZR/+eRxSRURJPRo/8nRFGR7RrXh8TpR9KbzkR5BMLkRWkc4:sDuHN/DRFRkRURJPRo/ARYR7Rrx+R98+
                                                                                                  MD5:3F80884F3D1F3B9D5D3C7279131ECB4D
                                                                                                  SHA1:17AB016E8AFA453B5A7DA19A6F2AB6AE0B3D78F4
                                                                                                  SHA-256:4D09EE22E6A9BFB33E13F5391830FFDA13A572DC6DA1E22D1DEE3D4CAD7BBBD9
                                                                                                  SHA-512:363579BDE28329209801FFA7EE0A3A5DD4278886453221768D2F3D7A1ECFE348884004FA08F9B6006E35A6098B72F1738B7B425C9AC8F5F2ACBDC5FD26EEA50A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdcolman.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver Color Management specific GPD settings...*%....*%******************************************************************************..*% PageColorManagement..*%******************************************************************************..*Feature: PageColorManagement..{.. *rcNameID: =IDS_GPD_PAGECOLMAN.. *DefaultOption: None.. *PrintSchemaKeywordMap: "PageColorManagement".... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. *PrintSchemaKeywordMap: "None".. }.... *Option: Device.. {.. *rcNameID: =IDS_GPD_D

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdnames.gpd

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):6871
                                                                                                  Entropy (8bit):4.6709110049190015
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:sDuHL5cq9ORGELoQ+4JH3U/y5EDeP8N4f6TfSqXYY0s9DOS:3HL5G0Ex+AX0yAePzO0S
                                                                                                  MD5:9196C9FAF999C94DA04F4679E823D753
                                                                                                  SHA1:BF4445CFF27EC04248BB645C74AAAF6B1EE95B6D
                                                                                                  SHA-256:411DFDB99C624831D1E755AD5D861ECE1C2EFCEF23A6C7F89F6C2BA251BBED0A
                                                                                                  SHA-512:94A3C1F51B03A91220F9AEF9D8BDDAB6DAD74BE971D5D16B5B308DC5403DE1AFCB3A8D40E0F48CEC1834DE596192BED99C78B03B2538A9594B99347B589650B1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdnames.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver GPD resource names...*%....*CodePage: 1252 *% Windows 3.1 US (ANSI) code page....*Feature: RESDLL..{.. *Name: "resource dll files".. *ConcealFromUI?: TRUE.... *Option: UniresDLL.. {.. *Name: "unires.dll".. }.. *Option: xdsmplui.. {.. *Name: "xdsmplui.dll".. }..}....*Macros: StdFeatureNames..{.. IDS_GPD_1PPS: RESDLL.xdsmplui.2000.. IDS_GPD_2PPS: RESDLL.xdsmplui.2001.. IDS_GPD_4PPS: RESDLL.xdsmplui.2002.. IDS_GPD_6PPS: RESDLL.xdsmplui.2003.. IDS_GPD_8PPS:

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdnup.gpd

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4068
                                                                                                  Entropy (8bit):4.508459493570281
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:sDuHqDYRxRGRDRPRbRERfRSdg9Re9RxjR4RURFRjjRkRSRA1sogRyRGRDRPRbREN:3HqZtgst0P
                                                                                                  MD5:CFFD55A27BDF496CABE9C41E80A42A72
                                                                                                  SHA1:09225D86A48948152DE3AF346491B893579253CA
                                                                                                  SHA-256:D0B69D3877190BFAFCADB90D9D4F6C81DA15CD5E3CBE45BAB4E60BC812FF32C0
                                                                                                  SHA-512:D1F0A7C72657897B2394D8C166D4E079CAB6CC3BE35621A8B014F541A1A73245DDD0865C4AE810E1784AC973AEA0419F7DFC42DA42A5B81284B539DC0A24EB29
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdnup.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver NUp specific GPD settings...*%....*%******************************************************************************..*% JobNUpAllDocumentsContiguously..*%******************************************************************************..*Feature: JobNUpAllDocumentsContiguously..{.. *rcNameID: =IDS_GPD_JOBNUP.. *DefaultOption: 1.. *PrintSchemaKeywordMap: "JobNUpAllDocumentsContiguously".... *Option: 1.. {.. *rcNameID: =IDS_GPD_1PPS.. }.... *Option: 2.. {.. *rcNameID: =IDS_GPD_2PPS.. }.... *Option: 4.. {..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdpgscl.gpd

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2522
                                                                                                  Entropy (8bit):4.708364933060842
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:FCDZkHSs9/9Ydp88+qRIOR3NRXRAR6R5eR7RZboRaYipRazRapjRafRa6RamRaRA:sDuHco4RDR3NRXRAR6R5eR7RZboRaYuY
                                                                                                  MD5:F492FC30EFAE3C1548C17D4419E37778
                                                                                                  SHA1:887F31639800999D7225AF1EE3F26B601D726401
                                                                                                  SHA-256:08FF54CC8DC7E978B8129017307F4455025FC37F891A9EE6CAD37ADA5EB0CEC7
                                                                                                  SHA-512:0F354DBC8B430B168EBAA1BBBAE48DFC6DD285912C1324673BD04AFBDD2947CC3BA8448B440337655377A43A40DC9592CDE26F71A635EEB12746877971C5519D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdpgscl.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver page scaling specific GPD settings...*%....*%******************************************************************************..*% PageScaling..*%******************************************************************************..*Feature: PageScaling..{.. *rcNameID: =IDS_GPD_PAGESCALING.. *DefaultOption: None.... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. }.... *Option: Custom.. {.. *rcNameID: =IDS_GPD_CUSTOM.. }.... *Option: CustomSquare.. {.. *rcNameID: =IDS_GPD_CUSTSQUARE.. }.... *Option:

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdsmpl-PipelineConfig.xml

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2476
                                                                                                  Entropy (8bit):5.158189280019379
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:qDG8kHYKsJyhBk//ojAd+6IG0c9RLN0KUvfaZhcLNhpMubDUHeLNq63PfaZhcLNM:qDhkHtsI4aV46+ZhOb2tZhzZh7jZh/v
                                                                                                  MD5:B628B4F8CC199D26E18FE27BD4A29BBD
                                                                                                  SHA1:CBB6FB510D708AE85CC0F715617BCD788A613727
                                                                                                  SHA-256:12DCC665FDEFEE3D3D771F5727F86FB812C606FCE0E7A3DA943A2072295D2984
                                                                                                  SHA-512:825E8583B140C3CA5C44669AAAEF7654A90977F15FD0959FC17DEE30E18C3275EDFE2366A5C90CE707AF28951A56194CBA0CBEE6967CD95FA9CA8CFD6EF189F3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: ....Copyright (c) 2005 Microsoft Corporation....All rights reserved.....THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..PARTICULAR PURPOSE.....File Name:.... xdsmpl-pipelineconfig.xml....Abstract:.... XPSDrv sample driver filter configuration file. This identifies the.. filters that comprise the filter pipeline and their order.....-->....<Filters>.. <Filter dll = "XDWMark.dll".. clsid = "{B8B525BF-F147-460a-B2D5-9DFB1F30D0FD}".. name = "Watermark filter">.. <Input guid = "{b8cf8530-5562-47c4-ab67-b1f69ecf961e}" comment="IID_IXpsDocumentProvider"/>.. <Output guid = "{4368d8a2-4181-4a9f-b295-3d9a38bb9ba0}" comment="IID_IXpsDocumentConsumer"/>.. </Filter>.. <Filter dll = "XDScale.dll".. clsid = "{976EDCE4-274E-482a-97

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdsmpl.gpd

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11986
                                                                                                  Entropy (8bit):4.7262628705263445
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:3HDc4F4V4U4k4v4g4L4wfyPUc5Bn+vjdQjNuDVjFfJCk72sI/72sIPTZGjo2D:KyPUc5Bn+bdsN4jFfJR25T25wZ
                                                                                                  MD5:E1F2A2FD0D41438A375F0DDC1822AA7C
                                                                                                  SHA1:267F8BFFABCCA4D46556519C105C0C6055B6F6D0
                                                                                                  SHA-256:606E0918952F5441D31F5335F09FD6AACAE0A5850A0174280FF34F6772A0B768
                                                                                                  SHA-512:1CF4B1E989819ECB134DCBD9C842F69D97A4949ED319D712BF14729C8A0BE0FF22122E3FADC4F4B2A86916F5EBF717E5CCE6E7620DD90EA73551CB523703EC0C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdsmpl.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver main GPD file...*%....*GPDFileVersion: "1.2"..*GPDSpecVersion: "1.2"..*GPDFileName: "XDSmpl.gpd"..*Include: "msxpsinc.gpd"..*Include: "StdNames.gpd"..*Include: "xdnames.gpd"..*Include: "xdwmark.gpd"..*Include: "xdbook.gpd"..*Include: "xdcolman.gpd"..*Include: "xdnup.gpd"..*Include: "xdpgscl.gpd"..*ModelName: "XPSDrv Sample Driver"..*MasterUnits: PAIR(1200, 1200)..*ResourceDLL: "unires.dll"..*PrinterType: PAGE..*MaxCopies: 1....*%*********************************************************************

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdsmpl.ini

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):475
                                                                                                  Entropy (8bit):5.248799523355892
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:fp+BF8aNytrHLCSKsSHUJhGbkxIESnPEcF4RqWo40nUv:fp+D8MkHLNKsSyh2kBoP3FsqA02
                                                                                                  MD5:2EFCEBC23D661F3BFA0A4A4BE0588466
                                                                                                  SHA1:1ED92AEC943CFE143A7DBBCE2A82141D67FB9169
                                                                                                  SHA-256:DC50AFD088B0D72935D0CDF8F99071A7C80A4979BC9AF915016DD847F222EBE9
                                                                                                  SHA-512:FC1FF31E2CBFA1BC8A825548C6C4661236FAF12D8B75F25010E783DE116FC48B61F0188A4673C2C60A52181F6E7F0EFE39BF9B0A7D35B1937EC02B97FCCB7955
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:;..; Copyright (c) 2005 Microsoft Corporation..;..; All rights reserved...;..; THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..; ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..; PARTICULAR PURPOSE...;..; File Name:..;..; xdsmpl.ini..;..; Abstract:..;..; XPSDrv sample driver configuration file for UI plug-in...;....[OEMFiles]..OEMConfigFile1=xdsmplui.DLL......

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdwmark.gpd

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1554
                                                                                                  Entropy (8bit):4.555759044915239
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:FCDZkHSs9/9Tmm8LYReOR1RwrRpRajx8LZRzQRVRC:sDuHnmmoYRVR1RwrRpRajxoZRcRVRC
                                                                                                  MD5:C922269B15071195905ACE600AC9B02C
                                                                                                  SHA1:BCC559EBBFCAC61A67905B5DBB9D3E8E27D413E5
                                                                                                  SHA-256:2FC61A7629E0382699E8178AC8131666BB1BADA65F9B7AC738E7620C1D3A4E40
                                                                                                  SHA-512:C4ACE0F94150ED02580A365798981FD30484B3E13576624620377F077AD4A6C0AA06ED3DBC1B8A64406F357321A9AD027A1A12D9C98A407D27B58CA857D74E84
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdwmark.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver watermark specific GPD settings...*%....*%******************************************************************************..*% PageWatermark..*%******************************************************************************..*Feature: PageWatermarkType..{.. *rcNameID: =IDS_GPD_WATERMARKTYPE.. *DefaultOption: None.... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. }.... *Option: Text.. {.. *rcNameID: =IDS_GPD_TEXT.. }.... *Option: Raster.. {.. *rcNameID: =IDS_GPD_RASTERIMAGE.. }.... *Option: Ve

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdwscRGB.icc

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Microsoft color profile 2.2, type lino, RGB/Lab-spac device by MSFT, 124856 bytes, 10-5-2006 12:14:35 "Created by Microsoft WCS from DMP: scRGB virtual device model profile, CAMP: Default sRGB monitor, and GMMP: Default Gamut M"
                                                                                                  Category:dropped
                                                                                                  Size (bytes):124856
                                                                                                  Entropy (8bit):6.796177094859484
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:wq47C9ZJMKkyYHlMRyu2FK0MjUq2mX14F4Q7asMM06KI:w29bMPyASyumQwmleHf91
                                                                                                  MD5:45CC4B43673056B8625ADD43EFDF33DD
                                                                                                  SHA1:2A7E28C7696CAF775344A31A23DCDADF15A5F1BD
                                                                                                  SHA-256:089BE57682C9F866DCCE74E1D174AA9816BC0992C1CE6EC01E03958964EF852A
                                                                                                  SHA-512:08A1FEA06EED5B874BE487F0F523ADCB98262FFA7158F54A724963827ACBF6318EEE99948AEB999C6F6EF875EA04E2B2377CBE623BB4679FB90BE785C75560DC
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:...lino. ..spacRGB Lab ...........#acspMSFT...................................-MSFT................................................desc......."cprt.......1wtpt...$....A2B0...8...ZB2A0.......ZMS00..U.....desc........Created by Microsoft WCS from DMP: scRGB virtual device model profile, CAMP: Default sRGB monitor, and GMMP: Default Gamut Map Model Profile for photos.enUS....C.r.e.a.t.e.d. .b.y. .M.i.c.r.o.s.o.f.t. .W.C.S. .f.r.o.m. .D.M.P.:. .s.c.R.G.B. .v.i.r.t.u.a.l. .d.e.v.i.c.e. .m.o.d.e.l. .p.r.o.f.i.l.e.,. .C.A.M.P.:. .D.e.f.a.u.l.t. .s.R.G.B. .m.o.n.i.t.o.r.,. .a.n.d. .G.M.M.P.:. .D.e.f.a.u.l.t. .G.a.m.u.t. .M.a.p. .M.o.d.e.l. .P.r.o.f.i.l.e. .f.o.r. .p.h.o.t.o.s...........................................................................text....Copyright (c) 2004 Microsoft Corporation....XYZ .......T........mft2................................................BeBwB.B.B.B.B.B.B.C.C.C"C3CECVCgCxC.C.C.C.C.C.C.D.D.D$D5DFDWDhDzD.D.D.D.D.D.D.E.E.E%E6EHEYEjE{E.E.E.E.E.E.E.F.F.F'F8FIFZFlF}

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdCMYKPrinter.icc

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Microsoft color profile 2.2, type lino, CMYK/Lab-prtr device by MSFT, 849080 bytes, 10-5-2006 15:02:14 "Created by Microsoft WCS from DMP: CMYKPrinter.cdmp, CAMP: Default sRGB monitor, and GMMP: Default Gamut Map Model Profile f"
                                                                                                  Category:dropped
                                                                                                  Size (bytes):849080
                                                                                                  Entropy (8bit):6.924819797081704
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:nupHTMj2vkdYa+kYfwx+rbgal21W0M5SU1yr2U5fOFQw8LHxrLiYJVarTH46xL1F:upgavkz+UIUBRm020G7
                                                                                                  MD5:8EE08E7B69A5F2ECA6BB3A5EEDB48649
                                                                                                  SHA1:FF7CFA21BDCB220EC0450E76A1C2AB0854CAEBD6
                                                                                                  SHA-256:2B215C1FA5CAA10582BDAFE6B51A911C9D8B2B0B456EEEFF955064FDC3844D98
                                                                                                  SHA-512:12AEA33F800D5203811DE1FFA1181BD1B8A58C54BD52A9D2BF7A4084CC2BBC52C9E74E9434C41C6B1EB2CA451E81D5E11B3CE6B827BA4B0F14927EB4FAD62FF0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:....lino. ..prtrCMYKLab ............acspMSFT...................................-MSFT................................................desc........cprt.......1wtpt...,....A2B0...@....B2A0........A2B1...@....A2B2...@....B2A1........B2A2........gamt..^.....MS00...P..gfdesc........Created by Microsoft WCS from DMP: CMYKPrinter.cdmp, CAMP: Default sRGB monitor, and GMMP: Default Gamut Map Model Profile for photos...enUS....C.r.e.a.t.e.d. .b.y. .M.i.c.r.o.s.o.f.t. .W.C.S. .f.r.o.m. .D.M.P.:. .C.M.Y.K.P.r.i.n.t.e.r...c.d.m.p.,. .C.A.M.P.:. .D.e.f.a.u.l.t. .s.R.G.B. .m.o.n.i.t.o.r.,. .a.n.d. .G.M.M.P.:. .D.e.f.a.u.l.t. .G.a.m.u.t. .M.a.p. .M.o.d.e.l. .P.r.o.f.i.l.e. .f.o.r. .p.h.o.t.o.s...........................................................................text....Copyright (c) 2004 Microsoft Corporation....XYZ .......c........mft2................................................................................................................ !!""##$$%%&&''(())**++,,--..//00112233445566778899

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdbook.gpd

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1808
                                                                                                  Entropy (8bit):4.525972600570173
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:FCDZkHSs9/9QltHlRIORmRCjR73RpRvrmRCgORmRCjR73RpRS:sDuH87FRDRmRCjRrRpRvrmRCbRmRCjRI
                                                                                                  MD5:9303837EFF41196B0FC3D6AD46FE43AF
                                                                                                  SHA1:9AFBCA730F3A98C5C43AC1AF156BCD6C3CE366E5
                                                                                                  SHA-256:ABD2E8A90B9949D61DF21DF88AED7040542555A0228BB0B375439F8488A06294
                                                                                                  SHA-512:9F8C9956CEB14B7A275B346A48A1C010DEB23D94BAB4E0FFD395D23B5573533EB80630092CA6A458D33762E55C260752CA294B5E0632179ECC18F17A0B961D55
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdbook.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver Booklet specific GPD settings...*%....*%******************************************************************************..*% JobBindAllDocuments..*%******************************************************************************..*Feature: JobBindAllDocuments..{.. *rcNameID: =IDS_GPD_JOBBINDING.. *DefaultOption: None.... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. }.... *Option: BindLeft.. {.. *rcNameID: =IDS_GPD_LTOR.. }.... *Option: BindRight.. {.. *rcNameID: =IDS_GPD_RTOL.. }.... *Option:

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdcolman.gpd

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2718
                                                                                                  Entropy (8bit):4.658165462032682
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:FCDZkHSs9/9xmSx8iZR/+eRxSRURJPRo/8nRFGR7RrXh8TpR9KbzkR5BMLkRWkc4:sDuHN/DRFRkRURJPRo/ARYR7Rrx+R98+
                                                                                                  MD5:3F80884F3D1F3B9D5D3C7279131ECB4D
                                                                                                  SHA1:17AB016E8AFA453B5A7DA19A6F2AB6AE0B3D78F4
                                                                                                  SHA-256:4D09EE22E6A9BFB33E13F5391830FFDA13A572DC6DA1E22D1DEE3D4CAD7BBBD9
                                                                                                  SHA-512:363579BDE28329209801FFA7EE0A3A5DD4278886453221768D2F3D7A1ECFE348884004FA08F9B6006E35A6098B72F1738B7B425C9AC8F5F2ACBDC5FD26EEA50A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdcolman.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver Color Management specific GPD settings...*%....*%******************************************************************************..*% PageColorManagement..*%******************************************************************************..*Feature: PageColorManagement..{.. *rcNameID: =IDS_GPD_PAGECOLMAN.. *DefaultOption: None.. *PrintSchemaKeywordMap: "PageColorManagement".... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. *PrintSchemaKeywordMap: "None".. }.... *Option: Device.. {.. *rcNameID: =IDS_GPD_D

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdnames.gpd

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):6871
                                                                                                  Entropy (8bit):4.6709110049190015
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:sDuHL5cq9ORGELoQ+4JH3U/y5EDeP8N4f6TfSqXYY0s9DOS:3HL5G0Ex+AX0yAePzO0S
                                                                                                  MD5:9196C9FAF999C94DA04F4679E823D753
                                                                                                  SHA1:BF4445CFF27EC04248BB645C74AAAF6B1EE95B6D
                                                                                                  SHA-256:411DFDB99C624831D1E755AD5D861ECE1C2EFCEF23A6C7F89F6C2BA251BBED0A
                                                                                                  SHA-512:94A3C1F51B03A91220F9AEF9D8BDDAB6DAD74BE971D5D16B5B308DC5403DE1AFCB3A8D40E0F48CEC1834DE596192BED99C78B03B2538A9594B99347B589650B1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdnames.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver GPD resource names...*%....*CodePage: 1252 *% Windows 3.1 US (ANSI) code page....*Feature: RESDLL..{.. *Name: "resource dll files".. *ConcealFromUI?: TRUE.... *Option: UniresDLL.. {.. *Name: "unires.dll".. }.. *Option: xdsmplui.. {.. *Name: "xdsmplui.dll".. }..}....*Macros: StdFeatureNames..{.. IDS_GPD_1PPS: RESDLL.xdsmplui.2000.. IDS_GPD_2PPS: RESDLL.xdsmplui.2001.. IDS_GPD_4PPS: RESDLL.xdsmplui.2002.. IDS_GPD_6PPS: RESDLL.xdsmplui.2003.. IDS_GPD_8PPS:

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdnup.gpd

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4068
                                                                                                  Entropy (8bit):4.508459493570281
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:sDuHqDYRxRGRDRPRbRERfRSdg9Re9RxjR4RURFRjjRkRSRA1sogRyRGRDRPRbREN:3HqZtgst0P
                                                                                                  MD5:CFFD55A27BDF496CABE9C41E80A42A72
                                                                                                  SHA1:09225D86A48948152DE3AF346491B893579253CA
                                                                                                  SHA-256:D0B69D3877190BFAFCADB90D9D4F6C81DA15CD5E3CBE45BAB4E60BC812FF32C0
                                                                                                  SHA-512:D1F0A7C72657897B2394D8C166D4E079CAB6CC3BE35621A8B014F541A1A73245DDD0865C4AE810E1784AC973AEA0419F7DFC42DA42A5B81284B539DC0A24EB29
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdnup.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver NUp specific GPD settings...*%....*%******************************************************************************..*% JobNUpAllDocumentsContiguously..*%******************************************************************************..*Feature: JobNUpAllDocumentsContiguously..{.. *rcNameID: =IDS_GPD_JOBNUP.. *DefaultOption: 1.. *PrintSchemaKeywordMap: "JobNUpAllDocumentsContiguously".... *Option: 1.. {.. *rcNameID: =IDS_GPD_1PPS.. }.... *Option: 2.. {.. *rcNameID: =IDS_GPD_2PPS.. }.... *Option: 4.. {..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdpgscl.gpd

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2522
                                                                                                  Entropy (8bit):4.708364933060842
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:FCDZkHSs9/9Ydp88+qRIOR3NRXRAR6R5eR7RZboRaYipRazRapjRafRa6RamRaRA:sDuHco4RDR3NRXRAR6R5eR7RZboRaYuY
                                                                                                  MD5:F492FC30EFAE3C1548C17D4419E37778
                                                                                                  SHA1:887F31639800999D7225AF1EE3F26B601D726401
                                                                                                  SHA-256:08FF54CC8DC7E978B8129017307F4455025FC37F891A9EE6CAD37ADA5EB0CEC7
                                                                                                  SHA-512:0F354DBC8B430B168EBAA1BBBAE48DFC6DD285912C1324673BD04AFBDD2947CC3BA8448B440337655377A43A40DC9592CDE26F71A635EEB12746877971C5519D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdpgscl.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver page scaling specific GPD settings...*%....*%******************************************************************************..*% PageScaling..*%******************************************************************************..*Feature: PageScaling..{.. *rcNameID: =IDS_GPD_PAGESCALING.. *DefaultOption: None.... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. }.... *Option: Custom.. {.. *rcNameID: =IDS_GPD_CUSTOM.. }.... *Option: CustomSquare.. {.. *rcNameID: =IDS_GPD_CUSTSQUARE.. }.... *Option:

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdsmpl-PipelineConfig.xml

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2476
                                                                                                  Entropy (8bit):5.158189280019379
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:qDG8kHYKsJyhBk//ojAd+6IG0c9RLN0KUvfaZhcLNhpMubDUHeLNq63PfaZhcLNM:qDhkHtsI4aV46+ZhOb2tZhzZh7jZh/v
                                                                                                  MD5:B628B4F8CC199D26E18FE27BD4A29BBD
                                                                                                  SHA1:CBB6FB510D708AE85CC0F715617BCD788A613727
                                                                                                  SHA-256:12DCC665FDEFEE3D3D771F5727F86FB812C606FCE0E7A3DA943A2072295D2984
                                                                                                  SHA-512:825E8583B140C3CA5C44669AAAEF7654A90977F15FD0959FC17DEE30E18C3275EDFE2366A5C90CE707AF28951A56194CBA0CBEE6967CD95FA9CA8CFD6EF189F3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: ....Copyright (c) 2005 Microsoft Corporation....All rights reserved.....THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..PARTICULAR PURPOSE.....File Name:.... xdsmpl-pipelineconfig.xml....Abstract:.... XPSDrv sample driver filter configuration file. This identifies the.. filters that comprise the filter pipeline and their order.....-->....<Filters>.. <Filter dll = "XDWMark.dll".. clsid = "{B8B525BF-F147-460a-B2D5-9DFB1F30D0FD}".. name = "Watermark filter">.. <Input guid = "{b8cf8530-5562-47c4-ab67-b1f69ecf961e}" comment="IID_IXpsDocumentProvider"/>.. <Output guid = "{4368d8a2-4181-4a9f-b295-3d9a38bb9ba0}" comment="IID_IXpsDocumentConsumer"/>.. </Filter>.. <Filter dll = "XDScale.dll".. clsid = "{976EDCE4-274E-482a-97

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdsmpl.gpd

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11986
                                                                                                  Entropy (8bit):4.7262628705263445
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:3HDc4F4V4U4k4v4g4L4wfyPUc5Bn+vjdQjNuDVjFfJCk72sI/72sIPTZGjo2D:KyPUc5Bn+bdsN4jFfJR25T25wZ
                                                                                                  MD5:E1F2A2FD0D41438A375F0DDC1822AA7C
                                                                                                  SHA1:267F8BFFABCCA4D46556519C105C0C6055B6F6D0
                                                                                                  SHA-256:606E0918952F5441D31F5335F09FD6AACAE0A5850A0174280FF34F6772A0B768
                                                                                                  SHA-512:1CF4B1E989819ECB134DCBD9C842F69D97A4949ED319D712BF14729C8A0BE0FF22122E3FADC4F4B2A86916F5EBF717E5CCE6E7620DD90EA73551CB523703EC0C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdsmpl.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver main GPD file...*%....*GPDFileVersion: "1.2"..*GPDSpecVersion: "1.2"..*GPDFileName: "XDSmpl.gpd"..*Include: "msxpsinc.gpd"..*Include: "StdNames.gpd"..*Include: "xdnames.gpd"..*Include: "xdwmark.gpd"..*Include: "xdbook.gpd"..*Include: "xdcolman.gpd"..*Include: "xdnup.gpd"..*Include: "xdpgscl.gpd"..*ModelName: "XPSDrv Sample Driver"..*MasterUnits: PAIR(1200, 1200)..*ResourceDLL: "unires.dll"..*PrinterType: PAGE..*MaxCopies: 1....*%*********************************************************************

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdsmpl.ini

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):475
                                                                                                  Entropy (8bit):5.248799523355892
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:fp+BF8aNytrHLCSKsSHUJhGbkxIESnPEcF4RqWo40nUv:fp+D8MkHLNKsSyh2kBoP3FsqA02
                                                                                                  MD5:2EFCEBC23D661F3BFA0A4A4BE0588466
                                                                                                  SHA1:1ED92AEC943CFE143A7DBBCE2A82141D67FB9169
                                                                                                  SHA-256:DC50AFD088B0D72935D0CDF8F99071A7C80A4979BC9AF915016DD847F222EBE9
                                                                                                  SHA-512:FC1FF31E2CBFA1BC8A825548C6C4661236FAF12D8B75F25010E783DE116FC48B61F0188A4673C2C60A52181F6E7F0EFE39BF9B0A7D35B1937EC02B97FCCB7955
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:;..; Copyright (c) 2005 Microsoft Corporation..;..; All rights reserved...;..; THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..; ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..; PARTICULAR PURPOSE...;..; File Name:..;..; xdsmpl.ini..;..; Abstract:..;..; XPSDrv sample driver configuration file for UI plug-in...;....[OEMFiles]..OEMConfigFile1=xdsmplui.DLL......

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdwmark.gpd

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1554
                                                                                                  Entropy (8bit):4.555759044915239
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:FCDZkHSs9/9Tmm8LYReOR1RwrRpRajx8LZRzQRVRC:sDuHnmmoYRVR1RwrRpRajxoZRcRVRC
                                                                                                  MD5:C922269B15071195905ACE600AC9B02C
                                                                                                  SHA1:BCC559EBBFCAC61A67905B5DBB9D3E8E27D413E5
                                                                                                  SHA-256:2FC61A7629E0382699E8178AC8131666BB1BADA65F9B7AC738E7620C1D3A4E40
                                                                                                  SHA-512:C4ACE0F94150ED02580A365798981FD30484B3E13576624620377F077AD4A6C0AA06ED3DBC1B8A64406F357321A9AD027A1A12D9C98A407D27B58CA857D74E84
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdwmark.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver watermark specific GPD settings...*%....*%******************************************************************************..*% PageWatermark..*%******************************************************************************..*Feature: PageWatermarkType..{.. *rcNameID: =IDS_GPD_WATERMARKTYPE.. *DefaultOption: None.... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. }.... *Option: Text.. {.. *rcNameID: =IDS_GPD_TEXT.. }.... *Option: Raster.. {.. *rcNameID: =IDS_GPD_RASTERIMAGE.. }.... *Option: Ve

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdwscRGB.icc

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Microsoft color profile 2.2, type lino, RGB/Lab-spac device by MSFT, 124856 bytes, 10-5-2006 12:14:35 "Created by Microsoft WCS from DMP: scRGB virtual device model profile, CAMP: Default sRGB monitor, and GMMP: Default Gamut M"
                                                                                                  Category:dropped
                                                                                                  Size (bytes):124856
                                                                                                  Entropy (8bit):6.796177094859484
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:wq47C9ZJMKkyYHlMRyu2FK0MjUq2mX14F4Q7asMM06KI:w29bMPyASyumQwmleHf91
                                                                                                  MD5:45CC4B43673056B8625ADD43EFDF33DD
                                                                                                  SHA1:2A7E28C7696CAF775344A31A23DCDADF15A5F1BD
                                                                                                  SHA-256:089BE57682C9F866DCCE74E1D174AA9816BC0992C1CE6EC01E03958964EF852A
                                                                                                  SHA-512:08A1FEA06EED5B874BE487F0F523ADCB98262FFA7158F54A724963827ACBF6318EEE99948AEB999C6F6EF875EA04E2B2377CBE623BB4679FB90BE785C75560DC
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:...lino. ..spacRGB Lab ...........#acspMSFT...................................-MSFT................................................desc......."cprt.......1wtpt...$....A2B0...8...ZB2A0.......ZMS00..U.....desc........Created by Microsoft WCS from DMP: scRGB virtual device model profile, CAMP: Default sRGB monitor, and GMMP: Default Gamut Map Model Profile for photos.enUS....C.r.e.a.t.e.d. .b.y. .M.i.c.r.o.s.o.f.t. .W.C.S. .f.r.o.m. .D.M.P.:. .s.c.R.G.B. .v.i.r.t.u.a.l. .d.e.v.i.c.e. .m.o.d.e.l. .p.r.o.f.i.l.e.,. .C.A.M.P.:. .D.e.f.a.u.l.t. .s.R.G.B. .m.o.n.i.t.o.r.,. .a.n.d. .G.M.M.P.:. .D.e.f.a.u.l.t. .G.a.m.u.t. .M.a.p. .M.o.d.e.l. .P.r.o.f.i.l.e. .f.o.r. .p.h.o.t.o.s...........................................................................text....Copyright (c) 2004 Microsoft Corporation....XYZ .......T........mft2................................................BeBwB.B.B.B.B.B.B.C.C.C"C3CECVCgCxC.C.C.C.C.C.C.D.D.D$D5DFDWDhDzD.D.D.D.D.D.D.E.E.E%E6EHEYEjE{E.E.E.E.E.E.E.F.F.F'F8FIFZFlF}

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):9728
                                                                                                  Entropy (8bit):4.7653420469834185
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:F+0YcUgZN/zSbTyB9Bs+VC+k5JEdVMNuE:F+oUgZN/zSbTysOC+k5MVs
                                                                                                  MD5:1EF7574BC4D8B6034935D99AD884F15B
                                                                                                  SHA1:110709AB33F893737F4B0567F9495AC60C37667C
                                                                                                  SHA-256:0814AAD232C96A4661081E570CF1D9C5F09A8572CFD8E9B5D3EAD0FA0F5CA271
                                                                                                  SHA-512:947C306A3A1EEC7FCE29EAA9B8D4B5E00FD0918FE9D7A25E262D621FB3EE829D5F4829949E766A660E990D1AC14F87E13E5DBD5F7C8252AE9B2DC82E2762FB73
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jp.....V...V...V.ivV...V.igV...V.iaV...V...V&..V.iqV...V.icV...VRich...V........PE..L....zZP.............................#.......0...............................P............@...... ..........................d(..P............................@..l.......................................@............................................text............................... ..`.data...x....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10752
                                                                                                  Entropy (8bit):4.547294400796419
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:yg/LSSz/NZS+cI818WJ6TPPeqj6wnzX/bHz3coD:yg/LSSz/NZSBITOg6+D/X
                                                                                                  MD5:F512536173E386121B3EBD22AAC41A4E
                                                                                                  SHA1:74AE133215345BEAEBB7A95F969F34A40DDA922A
                                                                                                  SHA-256:A993872AD05F33CB49543C00DFCA036B32957D2BD09AAA9DAFE33B934B7A3E4A
                                                                                                  SHA-512:1EFA432EF2D61A6F7E7FC3606C5C982F1B95EABC4912EA622D533D540DDCA1A340F8A5F4652AF62A9EFC112CA82D4334E74DECF6DDBC88B0BD191060C08A63B9
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................................................Rich....................PE..d....vZP.........."...... ..........(%.......................................`.......`....@.......... ......................................4+..P............@...............P......p...................................................8............................text............ .................. ..`.data........0.......$..............@....pdata.......@.......&..............@..@.reloc..8....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):77824
                                                                                                  Entropy (8bit):4.995224286140262
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:3zrhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkA:3+KY04RMmSCYmBiF4O7WT
                                                                                                  MD5:B40FE65431B18A52E6452279B88954AF
                                                                                                  SHA1:C25DE80F00014E129FF290BF84DDF25A23FDFC30
                                                                                                  SHA-256:800E396BE60133B5AB7881872A73936E24CBEBD7A7953CEE1479F077FFCF745E
                                                                                                  SHA-512:E58CF187FD71E6F1F5CF7EAC347A2682E77BC9A88A64E79A59E1A480CAC20B46AD8D0F947DD2CB2840A2E0BB6D3C754F8F26FCF2D55B550EEA4F5D7E57A4D91D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P............@...... ..........................lm..........p....................@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):81920
                                                                                                  Entropy (8bit):4.977706172799676
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
                                                                                                  MD5:3904D0698962E09DA946046020CBCB17
                                                                                                  SHA1:EDAE098E7E8452CA6C125CF6362DDA3F4D78F0AE
                                                                                                  SHA-256:A51E25ACC489948B31B1384E1DC29518D19B421D6BC0CED90587128899275289
                                                                                                  SHA-512:C24AB680981D8D6DB042B52B7B5C5E92078DF83650CAD798874FC09CE8C8A25462E1B69340083F4BCAD20D67068668ABCFA8097E549CFA5AD4F1EE6A235D6EEA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......|.....@.......... ......................................X}..........p.......T............`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\32bits\stvad.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):55112
                                                                                                  Entropy (8bit):6.95804253448452
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:+EmCoFSZSI9Xhq7xYQAucXy069A3hKhy06ia3hyKb3LCxLVNe9zLuX:+EmPFSYWXf69A3hK16x3hyKbOnNazSX
                                                                                                  MD5:9D62CBDE4079B1BE2CB1B91BDD74E539
                                                                                                  SHA1:C54E743DE54B9D1D35CDA8F15562483163A064C0
                                                                                                  SHA-256:63347E07C934A788F5996EF91D86F718C273DB6221BF448F0659F70194A65031
                                                                                                  SHA-512:E3DE199BAABCB087A07071D67F2A0EE3E0F01E06B23B75B6FDCF1146CE782263E1A63D32B4DAFF3699766FD3922AB41F9DCB4497398DB5F0DA9EA33F5FDDF24C
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q...5..5..5..!..4..!..2..5.....!..3.....>.... .4.....4..Rich5..........................PE..L...;..b.................D...&......0p....... ....@..................................i....@E................................`p..P.......p............n..Hi...........(..8...........................8)............... ...............................text...w........................... ..h.rdata....... ......................@..H.data........0....... ..............@...PAGE.....,...@.......0.............. ..`INIT.........p.......^.............. ..b.rsrc...p............d..............@..B.reloc...............h..............@..B................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\64bits\stvad.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):62816
                                                                                                  Entropy (8bit):6.690155437787919
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:7FkBLAYEMVmkPGsfD6ppH3hLW6G3heObqQyvzP:75YskPGiDaphWqOuQyvr
                                                                                                  MD5:9CE89A1A93E196AA261561B1E5C3AFC6
                                                                                                  SHA1:8ECDB82C1C4A9C4431826097EDB11718152AD7A5
                                                                                                  SHA-256:CBB084056495566BFC8D933D7094694053ADDB91C190F95F791016CF6368D94D
                                                                                                  SHA-512:A4E7E93819CDCFDF0ED468F0138AD2774D2D7D8A587A01A4745F61AC27DFCD41A49922827E7029FC7564DF3866C64464B7B131CEBF3D39AD85D94E533AE53C5B
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........x...+...+...+..*.+..*...+...+..+..*.+..*.+L..*...+L.a+.+L..*.+Rich...+................PE..d...8..b.........."......R...8......0..........@.....................................%....`A....................................................<.......p....p..........`i......T....<..8...........................P<...............0..0............................text...)........................... ..h.rdata.......0......................@..H.data........P.......,..............@....pdata.......p.......@..............@..HPAGE....$7.......8...F.............. ..`INIT.................~.............. ..b.rsrc...p...........................@..B.reloc..T...........................@..B........................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\install_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):285
                                                                                                  Entropy (8bit):4.794885910225241
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:fAjsd9KwqJ6dAGgOdHNMDPVgOdyE23PVgmfd9RNIgm9MOdELVb4NMD7:EWZ9dAudm95dyE239nd9RGpDdwh7
                                                                                                  MD5:1690361AD6F64AA935F0C71847F763B6
                                                                                                  SHA1:5F8682A46B5A4DF1F03D8078240F6619B0C90DDF
                                                                                                  SHA-256:D7CBA410A986FD863C69BDB98311A2F49E04F3ED7C1499C6A5557B7BA856B5AE
                                                                                                  SHA-512:2CE17EEF081E5C7F68E7584413C65242A1CE240B23F1226906DB6F6BC12E97B834545DA6B43BE5903D6EDBC66B1899634D9115E6688961F5547297819989D2EE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:rem echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon.exe remove *STVAD >> inst.log...\..\utils\devcon.exe rescan >> inst.log...\..\utils\DIFxCmd.exe /u stvad.inf >> inst.log....REM install...\..\utils\devcon.exe install stvad.inf *STVAD >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\install_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):289
                                                                                                  Entropy (8bit):4.864786270026779
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajsd9KwqJ6dAGgOdRLvNMDPVgOdRLKE23PVgmBd9RNIgm9MOdRL6Vb4NMD7:kWZ9dAudE95d0E239Jd9RGpDdCh7
                                                                                                  MD5:678C5FB9E1F87E4986E2B80B55740A9C
                                                                                                  SHA1:3E30F2B668EEAE7F8D0A192F6F3B9EE6213D58E8
                                                                                                  SHA-256:E04797F8F85EAAB68DA60C9E2F08E224DBF379ECC6085BD2A8C79974FF1D46E3
                                                                                                  SHA-512:B6FD46FE165ACB6169056465248078B9794669846B57E616F8DB923C6EDD324A625BE968E499463BADC7B99660A8CE3304333BA9D92D8907C98C6B3CB6B7DB6E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon64.exe remove *STVAD >> inst.log...\..\utils\devcon64.exe rescan >> inst.log...\..\utils\DIFxCmd64.exe /u stvad.inf >> inst.log....REM install...\..\utils\devcon64.exe install stvad.inf *STVAD >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\stvad.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11950
                                                                                                  Entropy (8bit):7.350152493437532
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:mgQzOQtQyQHOQqQWNJCHF1agjEwOXP6hYCe68JGlD/Jn9VOMbSX01k9z3AoXSkqr:INg/k6h3e1GlD/LVNSR9zrVqr
                                                                                                  MD5:6E88194D307CE842B43826CA7B473411
                                                                                                  SHA1:1C8767D498A53C6287EA89BCEB43A21C4F4AF479
                                                                                                  SHA-256:E75BF820E72813D3C46D11502267B3FE445E9A7F05E855DF97811D3E2333EE3A
                                                                                                  SHA-512:016B756C585648B0AF746E906302FC021516B0419DBD9B5444B11C709D3C6AE8CF330A1A49D7ACD341846D558FDC18C1DE5B97DA59ED53C887A854B8BDA5679F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0.....*.H..........0......1.0...`.H.e......0.....+.....7......0...0...+.....7.....y...K.O.."+ H.I..220214055503Z0...+.....7.....0...0......(u..m.,..E5.IhF..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........s.t.v.a.d...i.n.f...0....6=0..z..-.c..q..xS.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........s.t.v.a.d...s.y.s...0.... Vf.*...S.....3...7.D.%.Azv).`>1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........s.t.v.a.d...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... Vf.*...S.....3...7.D.%.Azv).`>0... .j.[6=uPASr......) .N.g].!i.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........s.t.v.a.d...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... .j.[6=uPASr......) .N.g].!i.0.....U....Z....$......1..0...+...

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\stvad.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4338
                                                                                                  Entropy (8bit):5.5192534972153515
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:2kSMHhlJjFdN5JHzI8LeTMdH33I8vV4xmzAchZ8MMCuj:2kSMHdxdnJHTeT+3B4xm09j
                                                                                                  MD5:8E91B0F01FFE8DF22050392F91D8F28D
                                                                                                  SHA1:1ECD2875D29F0F6DE62C1DBA4535D7496846B70D
                                                                                                  SHA-256:946AE6ACA55B363D7550415372A8A483BEDA152920104EE4675DD4AC2169ECA1
                                                                                                  SHA-512:5B421B323084E851154C15E22769BDBA12C555DD8DF949B21719CF13C0549EEE1AC48C4EC4802EC08A725A4515C449BACE6E43F0DC67B54BAB1DB08D2408AA59
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:[Version]..Signature..= "$CHICAGO$"..Class...= MEDIA..Provider..= %ST%..ClassGUID..= {4d36e96c-e325-11ce-bfc1-08002be10318}..DriverVer = 02/14/2022,1.0.3.0..CatalogFile .= stvad.cat....[SourceDisksNames.x86]..222 = "STVAD Driver Disk","",222,\32bits....[SourceDisksNames.amd64]..222 = "STVAD Driver Disk","",222,\64bits....[SourceDisksFiles]..stvad.sys = 222....;;This syntax is only recognized on Windows XP and above- it is needed to install 64-bit drivers on..;;Windows Server 2003 Service Pack 1 and above.....[Manufacturer]..%MfgName% = SplashtopDS, NTAMD64, NTx86....;; For Windows Server 2003 Service Pack 1 and above, a 64-bit OS will not install a driver..;; unless the Manufacturer and Models Sections explicitly show it is a driver for that platform..;; But the individual model section decorations (or lack thereof) work as they always have...;; All of the model sections referred to are undecorated or NT-decorated, hence work on all platforms....[SplashtopDS]..%STVAD.DeviceDesc% =

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\uninstall_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):206
                                                                                                  Entropy (8bit):4.79285514077006
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajsd9KwqJ6dAGgOdHNMDPVgOdyE23PVgmfd9R7:kWZ9dAudm95dyE239nd9R7
                                                                                                  MD5:9EAFE2CC76D906E1C4F0FCB2A485A453
                                                                                                  SHA1:51D48B136B7AD1BBA162D3674F249A6832F9B55E
                                                                                                  SHA-256:9C01560D63FA71D8492B5B866E02902EA5AD8DF54B5678DCA54160F787AD7BC2
                                                                                                  SHA-512:76D1A89F064AD7C9B89D9FBD06735837E4B47220F2B790B2BE3DCC63251923F7D0B2B8DB5B3983D4E7B94DA1DFCB3EC9EC81C0927446E05D4EECA9CD293CE4F8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon.exe remove *STVAD >> inst.log...\..\utils\devcon.exe rescan >> inst.log...\..\utils\DIFxCmd.exe /u stvad.inf >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\uninstall_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):212
                                                                                                  Entropy (8bit):4.871313263028117
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajsd9KwqJ6dAGgOdRLvNMDPVgOdRLKE23PVgmBd9R7:kWZ9dAudE95d0E239Jd9R7
                                                                                                  MD5:A2DA78EF1F7BC59138D71F85D6310ECA
                                                                                                  SHA1:912DCBFF74495F0235A969BCE934B421086DD175
                                                                                                  SHA-256:A980C2CD38F4D2F06E6A5DC96BFFFB8EC39A7A1254D5FF6ED1E7F44048F66AE1
                                                                                                  SHA-512:32DAD786E55680F653F7F5570189E2C0F815CE0A69221B91743B67407587E9A13C414E5ECCEB2CD02A3C0A805E3D6D2639948DD22DFAC3B6FF56D74CC468AD56
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon64.exe remove *STVAD >> inst.log...\..\utils\devcon64.exe rescan >> inst.log...\..\utils\DIFxCmd64.exe /u stvad.inf >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\32bits\stvad.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):45320
                                                                                                  Entropy (8bit):6.720475524234058
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:G9CoFe+yIPYhqU1YQ7YemerV3hvrOyk3hH63:G9PFe3VYq3hvrOX3hH+
                                                                                                  MD5:A9D239E41BAED5879255923481C73D11
                                                                                                  SHA1:FE581685174CEFCAD994BB8EC1A70537BB8CA626
                                                                                                  SHA-256:5118FB2A6A4B1E37AA12544E5864B77733739FB5EFBC4997F3A5A3EF385FE9B9
                                                                                                  SHA-512:5460CDDD61A79C9C4982106344F4354E55C93AC996EF7315DE635F2F45EFE8A9BDFF37664137E7307E8C9654BCD16ACC65B8471D08E09DAA798502B0973E3DAD
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................................................#.........Rich...................PE..L....0Ca.................D...&......0p....... ....@.................................N.....@E................................xp..P.......p............n...C...........(..8...........................8)..@............ ...............................text............................... ..h.rdata....... ......................@..H.data........0....... ..............@...PAGE.....,...@.......0.............. ..`INIT.........p.......^.............. ..b.rsrc...p............d..............@..B.reloc...............h..............@..B........................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\64bits\stvad.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):53000
                                                                                                  Entropy (8bit):6.411029825578745
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:HD4P58VeNfba5EMjxMXOkvmWvwDtmmEfdgA5lER3hjgxW3hyB:8PiVeNYEMVz4TVRl+3hjgg3hyB
                                                                                                  MD5:E623E53FAE062F43180174FA01E7B6E0
                                                                                                  SHA1:7843125E12A3DF5A9DC1FB052CCC34B993A18F00
                                                                                                  SHA-256:D68E13044485D730E183449E3F34D45E319199D376C7528FC8DDA87CA5A22034
                                                                                                  SHA-512:26E342BC8E28CB447BF4F1FC4F1A7A0CA2186B4AC78CDC062B29CC206ED1FAC2E0825748DF26AA0E893795820A77D6D269F4DFCB2162E5877710D7DE8FD1365B
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t`X.............~.......~...............~.......~.......`.......`.......`......Rich............PE..d....0Ca.........."......R...8......0..........@.........................................`A....................................................<.......p....p...........C......T....<..8...........................P<...............0..0............................text...i........................... ..h.rdata.......0......................@..H.data........P.......,..............@....pdata.......p.......@..............@..HPAGE.....7.......8...F.............. ..`INIT.................~.............. ..b.rsrc...p...........................@..B.reloc..T...........................@..B................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\install_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):285
                                                                                                  Entropy (8bit):4.794885910225241
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:fAjsd9KwqJ6dAGgOdHNMDPVgOdyE23PVgmfd9RNIgm9MOdELVb4NMD7:EWZ9dAudm95dyE239nd9RGpDdwh7
                                                                                                  MD5:1690361AD6F64AA935F0C71847F763B6
                                                                                                  SHA1:5F8682A46B5A4DF1F03D8078240F6619B0C90DDF
                                                                                                  SHA-256:D7CBA410A986FD863C69BDB98311A2F49E04F3ED7C1499C6A5557B7BA856B5AE
                                                                                                  SHA-512:2CE17EEF081E5C7F68E7584413C65242A1CE240B23F1226906DB6F6BC12E97B834545DA6B43BE5903D6EDBC66B1899634D9115E6688961F5547297819989D2EE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:rem echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon.exe remove *STVAD >> inst.log...\..\utils\devcon.exe rescan >> inst.log...\..\utils\DIFxCmd.exe /u stvad.inf >> inst.log....REM install...\..\utils\devcon.exe install stvad.inf *STVAD >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\install_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):289
                                                                                                  Entropy (8bit):4.864786270026779
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajsd9KwqJ6dAGgOdRLvNMDPVgOdRLKE23PVgmBd9RNIgm9MOdRL6Vb4NMD7:kWZ9dAudE95d0E239Jd9RGpDdCh7
                                                                                                  MD5:678C5FB9E1F87E4986E2B80B55740A9C
                                                                                                  SHA1:3E30F2B668EEAE7F8D0A192F6F3B9EE6213D58E8
                                                                                                  SHA-256:E04797F8F85EAAB68DA60C9E2F08E224DBF379ECC6085BD2A8C79974FF1D46E3
                                                                                                  SHA-512:B6FD46FE165ACB6169056465248078B9794669846B57E616F8DB923C6EDD324A625BE968E499463BADC7B99660A8CE3304333BA9D92D8907C98C6B3CB6B7DB6E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon64.exe remove *STVAD >> inst.log...\..\utils\devcon64.exe rescan >> inst.log...\..\utils\DIFxCmd64.exe /u stvad.inf >> inst.log....REM install...\..\utils\devcon64.exe install stvad.inf *STVAD >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\stvad.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):18540
                                                                                                  Entropy (8bit):7.313988713784432
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:1+wARK7Nm4UB1LtL8JN77hh/onRK7Nm4UxY28JN77hh07V:8wUh23hRoR83hGV
                                                                                                  MD5:52973E06C8A2587300797DEBD419A08C
                                                                                                  SHA1:8D13082BEEF0B4240B67F7D04809A25C8CC3834F
                                                                                                  SHA-256:AACA5F16D57F7C9CBA15F8420FA57CB0F222F3FD28051FD1C103AEBEBA681D05
                                                                                                  SHA-512:60CE0E47DD5B42DB77BBF507AEB939CA26ECA50A5A6F5FF4731D4E65230335BC5F8E47A1B60466B6BB2CACB582F7F0BEACEAA956A2A50D5C5645F0591D4DF8B0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0.Hh..*.H........HY0.HU...1.0...+......0.....+.....7......0...0...+.....7........[.nA.jC`.S....210916120921Z0...+.....7.....0...0....R5.6.4.E.F.8.7.0.9.0.7.9.8.F.7.A.6.2.5.7.4.B.6.0.2.C.F.3.1.2.3.D.C.E.D.2.3.4.6.3...1..O06..+.....7...1(0&...F.i.l.e........s.t.v.a.d...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+........VN.p.y.zbWK`,..=..4c0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R8.7.8.1.B.4.C.0.6.1.9.4.5.A.2.E.8.E.0.1.0.E.F.1.2.9.8.5.9.B.D.1.A.A.3.1.3.C.7.5...1..G06..+.....7...1(0&...F.i.l.e........s.t.v.a.d...i.n.f...0E..+.....7...17050...+.....7.......0!0...+............a.Z.....)...1<u0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RF.4.9.D.9.9.6.B.8.8

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\stvad.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3217
                                                                                                  Entropy (8bit):5.702969738113695
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:2kQG735yUI8LeHdT3I8vV4xDKKr84QM5MFgWCwj:2kQG7pyye1B4x+I8pj
                                                                                                  MD5:1574CF3E123B96142ACF789F852119FF
                                                                                                  SHA1:8781B4C061945A2E8E010EF129859BD1AA313C75
                                                                                                  SHA-256:3FF183B875687A9A2BAF0FBEFA52AC04CD5E869E6E4FD535CC7D1D1F4825A003
                                                                                                  SHA-512:29EA441281BA5A4E7B427335E36D0D6FA2A103D852DD16E460C4BE62E2640AE2117C1C64CFE6BFDC2A22FE9ADDE71B74DB5A1A6BF80D7BE0953FD593401F0311
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:[Version]..Signature..= "$CHICAGO$"..Class...= MEDIA..Provider..= %ST%..ClassGUID..= {4d36e96c-e325-11ce-bfc1-08002be10318}..DriverVer ..= 09/16/2021, 1.0.2.0..CatalogFile .= stvad.cat....[DestinationDirs]..STVAD.CopyList = 10,system32\drivers....[SourceDisksNames.x86]..222 = "STVAD Driver Disk","",222,\32bits....[SourceDisksNames.amd64]..222 = "STVAD Driver Disk","",222,\64bits....[SourceDisksFiles]..stvad.sys = 222....[Manufacturer]..%MfgName% = Splashtop, NTAMD64, NTx86....[Splashtop.NTAMD64]..%stvad.DeviceDesc% = STVAD, *STVAD....[Splashtop.NTx86]..%stvad.DeviceDesc% = STVAD, *STVAD....[STVAD]..AlsoInstall..= ks.registration(ks.inf),wdmaudio.registration(wdmaudio.inf)..CopyFiles..= STVAD.CopyList..AddReg...= STVAD.AddReg....[STVAD.CopyList]..stvad.sys....[STVAD.Interfaces]..AddInterface.= %KSCATEGORY_AUDIO%,%KSNAME_Wave%,STVAD.I.Wave..AddInterface.= %KSCATEGORY_RENDER%,%KSNAME_Wave%,STVAD.I.Wave..AddInterface.= %KSCATEGORY_CAPTURE%,%KSNAME_Wave%,STVAD.I.Wave..AddInterface.= %KSCATE

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\uninstall_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):206
                                                                                                  Entropy (8bit):4.79285514077006
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajsd9KwqJ6dAGgOdHNMDPVgOdyE23PVgmfd9R7:kWZ9dAudm95dyE239nd9R7
                                                                                                  MD5:9EAFE2CC76D906E1C4F0FCB2A485A453
                                                                                                  SHA1:51D48B136B7AD1BBA162D3674F249A6832F9B55E
                                                                                                  SHA-256:9C01560D63FA71D8492B5B866E02902EA5AD8DF54B5678DCA54160F787AD7BC2
                                                                                                  SHA-512:76D1A89F064AD7C9B89D9FBD06735837E4B47220F2B790B2BE3DCC63251923F7D0B2B8DB5B3983D4E7B94DA1DFCB3EC9EC81C0927446E05D4EECA9CD293CE4F8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon.exe remove *STVAD >> inst.log...\..\utils\devcon.exe rescan >> inst.log...\..\utils\DIFxCmd.exe /u stvad.inf >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\uninstall_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):212
                                                                                                  Entropy (8bit):4.871313263028117
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajsd9KwqJ6dAGgOdRLvNMDPVgOdRLKE23PVgmBd9R7:kWZ9dAudE95d0E239Jd9R7
                                                                                                  MD5:A2DA78EF1F7BC59138D71F85D6310ECA
                                                                                                  SHA1:912DCBFF74495F0235A969BCE934B421086DD175
                                                                                                  SHA-256:A980C2CD38F4D2F06E6A5DC96BFFFB8EC39A7A1254D5FF6ED1E7F44048F66AE1
                                                                                                  SHA-512:32DAD786E55680F653F7F5570189E2C0F815CE0A69221B91743B67407587E9A13C414E5ECCEB2CD02A3C0A805E3D6D2639948DD22DFAC3B6FF56D74CC468AD56
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon64.exe remove *STVAD >> inst.log...\..\utils\devcon64.exe rescan >> inst.log...\..\utils\DIFxCmd64.exe /u stvad.inf >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\32bits\stvspk.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):53008
                                                                                                  Entropy (8bit):6.847750617309462
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:b9aXVnIo4e86mU2IpU88ukl7qqOky4QqSmOOgY3hs3BMBs3hsU4hJt34lz2:b9uV54e8Q6uoramO43hs3h3hsU4/tgy
                                                                                                  MD5:48A8D41400F7D4729A0FB3102B2FD7AF
                                                                                                  SHA1:709FCD8676F7E618B1D519D7C84422D90EAC81AD
                                                                                                  SHA-256:158BF7761E9A254E5D4608E62D11B86A682E505413C86128999F8EDC6294645D
                                                                                                  SHA-512:845DA37A4FC90DB0E4D1A0CE51E9436F3AB65289C4CAE189999A72DC516F09750FBE43D681746E5BD0C5E4E90C246BC58ADF95239A19A3E3E71000C0E8B46018
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................................................#.........Rich...................PE..L...1.'a.................>...&......0p....... ....@.......................................@E................................xp..P.......p............h...g...........(..8............................)..@............ ...............................text...g........................... ..h.rdata..l.... ......................@..H.data...0....0......................@...PAGE....")...@...*.................. ..`INIT....8....p.......X.............. ..b.rsrc...p............^..............@..B.reloc...............b..............@..B........................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\64bits\stvspk.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):59152
                                                                                                  Entropy (8bit):6.649199158440194
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:Qidu9HV92g74x9xMtsqRdUx2PEvp/MuTP3hs0KI3hsE5Et367SH:09HV92Z9fx/MYP3hs0t3hsE+tK7+
                                                                                                  MD5:FFC5D6FFD92E2F5DD7D454B5EA624825
                                                                                                  SHA1:22DC6D072A87B95A215735D8A9002757F1C99F4B
                                                                                                  SHA-256:BF3806D063FD4982791FA5F5C50DDC5B7F49B40615F6CFCE96016571CA4AF7CB
                                                                                                  SHA-512:653CAB148E0CE24DF36C1EC02760F19C9100542FCA5885B665E8F98EE82118B7930D3B9C8BAF18C1D08B5E1D3D5F7B3DDF0041581116BA5973CE30DFF4C4A958
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t`X.............~.......~...............~.......~.......`.......`.......`......Rich............PE..d...-.'a.........."......H...4......0..........@.....................................g....`A....................................................<.......p....`..h........g......L....+..8........................... ,............... ...............................text............................... ..h.rdata....... ......................@..H.data........@.......&..............@....pdata..h....`.......:..............@..HPAGE.....1...p...2...@.............. ..`INIT.................r.............. ..b.rsrc...p............x..............@..B.reloc..L............|..............@..B................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\install_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):286
                                                                                                  Entropy (8bit):4.868409179176479
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:fAjsd94wqJ6dA3OdqA3PMOdyE23PMmfPP0NIgm4OdELV5FaA37:EWH9dAedNtdyE23rH0GpBdM97
                                                                                                  MD5:A9A42F8DE6BBE12230621C01C8FD5987
                                                                                                  SHA1:360D7B9C960AA8BCFAB960F5BC8FE4C8217BFF1D
                                                                                                  SHA-256:377B50263A4EC36A0133666CCC089CC065119FE290FA53D9397D414BFDE6DDF3
                                                                                                  SHA-512:CFCBE219768697E54E62F27C0BC318590055BD70BBAB73262ED93B4F7B8A993D6984DB2CE1A0DABE65A2E83204FAE61AB4896BCA56385E49DA7527B4567EDDFD
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:rem echo off..cd %~dp0....REM uninstall...\..\..\SRUtility.exe -u...\utils\devcon.exe remove *STVSpkSimple >> inst.log...\utils\devcon.exe rescan >> inst.log...\utils\DIFxCmd.exe /u stvspk.inf >> inst.log....REM install...\utils\devcon.exe install stvspk.inf *STVSpkSimple >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\install_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):290
                                                                                                  Entropy (8bit):4.94060950303714
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajsd94wqJ6dA3OdRLiA3PMOdRLKE23PMmBPP0NIgm4OdRL6V5FaA37:kWH9dAedDtd0E239H0GpBdm97
                                                                                                  MD5:9DC29B6F9CC69C534977BFCDC98E2705
                                                                                                  SHA1:4AA931BE2C7297A93CEC4172F48EDDD8DBC4E3AB
                                                                                                  SHA-256:78CEDF996370DF8A59521A77BDDB7118610924A02625AA53BFE47975A23B3B8D
                                                                                                  SHA-512:5227EFC53C6D12C012691A920ADB77B51E9E939294B7B690774BDC16EFAC877D9D92C409D5197244279F4BE8052CA8FA9FCD37D82178807DABA8D0F528F179A7
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....REM uninstall...\..\..\SRUtility.exe -u...\utils\devcon64.exe remove *STVSpkSimple >> inst.log...\utils\devcon64.exe rescan >> inst.log...\utils\DIFxCmd64.exe /u stvspk.inf >> inst.log....REM install...\utils\devcon64.exe install stvspk.inf *STVSpkSimple >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\stvspk.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):18559
                                                                                                  Entropy (8bit):7.313796375225627
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:5eNwo6RK7Nm4UN1d08JN77hhOd5wTRK7Nm4UhkX88JN77hhOmT:Yw1n33hsd5wFIXf3hsmT
                                                                                                  MD5:3BEB01DAE131D8E2F595EA697676FD82
                                                                                                  SHA1:E4AE36B125E40E3964C176FAD1A2690317574A15
                                                                                                  SHA-256:B2E42C84B27299C6973FC976FF22837D156788A6D423286816DD9B551A959245
                                                                                                  SHA-512:DDCEB2EE00865574863F4E6D5CE32A4363FCBC85C42B75AE348FA1A09E1FC5284355A772E127372993560CA634B52447EE6F4CF7261691EB8EEDD0DD95731FEC
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0.H{..*.H........Hl0.Hh...1.0...+......0.. ..+.....7......0...0...+.....7.....]....qF.3o...!...210826123955Z0...+.....7.....0...0....R2.2.8.8.7.7.B.7.3.E.F.1.0.A.0.A.F.7.3.6.9.3.F.B.2.B.4.F.4.9.F.D.6.D.A.7.4.0.4.9...1..I08..+.....7...1*0(...F.i.l.e........s.t.v.s.p.k...i.n.f...0E..+.....7...17050...+.....7.......0!0...+........".w.>....6..+OI.m.@I0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R3.7.8.B.6.D.B.1.6.A.4.1.D.7.F.6.F.1.2.A.D.5.B.B.3.B.3.4.2.D.F.D.9.E.A.0.2.A.8.1...1..Q08..+.....7...1*0(...F.i.l.e........s.t.v.s.p.k...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+........7.m.jA...*.;4-...*.0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R4.C.C.A.0.5.0.E

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\stvspk.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4530
                                                                                                  Entropy (8bit):5.531167619033096
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:TMuJlJjPHHXkP9bYxHJswZ4xNzp49RY8MMCuqx:TMuFDHX4yR4xNdezqx
                                                                                                  MD5:C6F9A3971989361505A22B26F16CBF33
                                                                                                  SHA1:228877B73EF10A0AF73693FB2B4F49FD6DA74049
                                                                                                  SHA-256:1D08A49A629D67FDC77E6EC38B90F10A2C7788BDE9EDE15075732DA010FCE8DB
                                                                                                  SHA-512:B49317454756DD29317838224D2B49A1D4CDB358B0BAE5EFBD6CD7F12CDEE018BF9F3A8D7D1484D64BA158821E3EBDC52D18BD601D999FFB9127A744BD477A3C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:[Version]..Signature = "$CHICAGO$"..Class = MEDIA..Provider = %ST%..ClassGUID = {4d36e96c-e325-11ce-bfc1-08002be10318}..DriverVer=08/26/2021,1.0.1.0..CatalogFile = stvspk.cat....[SourceDisksNames.x86]..222 = "STVSpk Driver Disk","",222,\32bits....[SourceDisksNames.amd64]..222 = "STVSpk Driver Disk","",222,\64bits....[SourceDisksFiles]..stvspk.sys = 222....;;This syntax is only recognized on Windows XP and above- it is needed to install 64-bit drivers on..;;Windows Server 2003 Service Pack 1 and above.....[Manufacturer]..%MfgName% = SplashtopDS, NTAMD64, NTx86....;; For Windows Server 2003 Service Pack 1 and above, a 64-bit OS will not install a driver..;; unless the Manufacturer and Models Sections explicitly show it is a driver for that platform..;; But the individual model section decorations (or lack thereof) work as they always have...;; All of the model sections referred to are undecorated or NT-decorated, hence work on all platforms....[SplashtopDS]..%STVSpk.DeviceDesc%=STVSp

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\uninstall_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):202
                                                                                                  Entropy (8bit):4.8854882526314825
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajsd94wqJ6dA3OdqA3PMOdyE23PMmfPP07:kWH9dAedNtdyE23rH07
                                                                                                  MD5:3535AC984A69ED2E778B7F2B77618C94
                                                                                                  SHA1:3B6B19524DFAABDA5CF5FD2DD476A0108C928676
                                                                                                  SHA-256:98040E1CF91AB05E0341BAE64F1D8AD29077A5351C586F2507CFF4C41CA80A1C
                                                                                                  SHA-512:FD92393595D39F6260BB517DF38E82FBAB7BD7A9A79C276DEAFBDC69B123359F3D20C5A5B28AB06EFCB412E64E2AC940FA84FB130EAE9ACC778410119E7BF083
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....REM uninstall...\..\..\SRUtility.exe -u...\utils\devcon.exe remove *STVSpkSimple >> inst.log...\utils\devcon.exe rescan >> inst.log...\utils\DIFxCmd.exe /u stvspk.inf >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\uninstall_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):208
                                                                                                  Entropy (8bit):4.961978816753448
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajsd94wqJ6dA3OdRLiA3PMOdRLKE23PMmBPP07:kWH9dAedDtd0E239H07
                                                                                                  MD5:754E73406288B7E24396DE0B02C9767D
                                                                                                  SHA1:EE115F24C025725D5BC56DAF460CBB25084D1059
                                                                                                  SHA-256:A2B082F8CF5944558CA68BEEC0290C49A3E4080E3B364A9A64F6CC203DFD2339
                                                                                                  SHA-512:9C378936BE40F532C0866713417DC0F686F8067EE706AD96DC71BA9614378A9ACF1E481C95E25C0AA0C9E63CC23C237FAAB22E49BD773E138543F27C7F0AEA5E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....REM uninstall...\..\..\SRUtility.exe -u...\utils\devcon64.exe remove *STVSpkSimple >> inst.log...\utils\devcon64.exe rescan >> inst.log...\utils\DIFxCmd64.exe /u stvspk.inf >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):9728
                                                                                                  Entropy (8bit):4.7653420469834185
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:F+0YcUgZN/zSbTyB9Bs+VC+k5JEdVMNuE:F+oUgZN/zSbTysOC+k5MVs
                                                                                                  MD5:1EF7574BC4D8B6034935D99AD884F15B
                                                                                                  SHA1:110709AB33F893737F4B0567F9495AC60C37667C
                                                                                                  SHA-256:0814AAD232C96A4661081E570CF1D9C5F09A8572CFD8E9B5D3EAD0FA0F5CA271
                                                                                                  SHA-512:947C306A3A1EEC7FCE29EAA9B8D4B5E00FD0918FE9D7A25E262D621FB3EE829D5F4829949E766A660E990D1AC14F87E13E5DBD5F7C8252AE9B2DC82E2762FB73
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jp.....V...V...V.ivV...V.igV...V.iaV...V...V&..V.iqV...V.icV...VRich...V........PE..L....zZP.............................#.......0...............................P............@...... ..........................d(..P............................@..l.......................................@............................................text............................... ..`.data...x....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10752
                                                                                                  Entropy (8bit):4.547294400796419
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:yg/LSSz/NZS+cI818WJ6TPPeqj6wnzX/bHz3coD:yg/LSSz/NZSBITOg6+D/X
                                                                                                  MD5:F512536173E386121B3EBD22AAC41A4E
                                                                                                  SHA1:74AE133215345BEAEBB7A95F969F34A40DDA922A
                                                                                                  SHA-256:A993872AD05F33CB49543C00DFCA036B32957D2BD09AAA9DAFE33B934B7A3E4A
                                                                                                  SHA-512:1EFA432EF2D61A6F7E7FC3606C5C982F1B95EABC4912EA622D533D540DDCA1A340F8A5F4652AF62A9EFC112CA82D4334E74DECF6DDBC88B0BD191060C08A63B9
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................................................Rich....................PE..d....vZP.........."...... ..........(%.......................................`.......`....@.......... ......................................4+..P............@...............P......p...................................................8............................text............ .................. ..`.data........0.......$..............@....pdata.......@.......&..............@..@.reloc..8....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):77824
                                                                                                  Entropy (8bit):4.995224286140262
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:3zrhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkA:3+KY04RMmSCYmBiF4O7WT
                                                                                                  MD5:B40FE65431B18A52E6452279B88954AF
                                                                                                  SHA1:C25DE80F00014E129FF290BF84DDF25A23FDFC30
                                                                                                  SHA-256:800E396BE60133B5AB7881872A73936E24CBEBD7A7953CEE1479F077FFCF745E
                                                                                                  SHA-512:E58CF187FD71E6F1F5CF7EAC347A2682E77BC9A88A64E79A59E1A480CAC20B46AD8D0F947DD2CB2840A2E0BB6D3C754F8F26FCF2D55B550EEA4F5D7E57A4D91D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P............@...... ..........................lm..........p....................@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):81920
                                                                                                  Entropy (8bit):4.977706172799676
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
                                                                                                  MD5:3904D0698962E09DA946046020CBCB17
                                                                                                  SHA1:EDAE098E7E8452CA6C125CF6362DDA3F4D78F0AE
                                                                                                  SHA-256:A51E25ACC489948B31B1384E1DC29518D19B421D6BC0CED90587128899275289
                                                                                                  SHA-512:C24AB680981D8D6DB042B52B7B5C5E92078DF83650CAD798874FC09CE8C8A25462E1B69340083F4BCAD20D67068668ABCFA8097E549CFA5AD4F1EE6A235D6EEA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......|.....@.......... ......................................X}..........p.......T............`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25040
                                                                                                  Entropy (8bit):5.182836790970066
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:RnmRA8diIqFr2hrkzbBglwb20HsOANRBUBR+uekbnYPLGKw:5183HrkXBhb2CI7BUBUnCtKw
                                                                                                  MD5:3C0B8DA5253B68665362881787681D04
                                                                                                  SHA1:8C2925071EBBB1D94B34DBC9B926CC96F3D6674F
                                                                                                  SHA-256:8DB1AF7E90197353FD346A2A4D60C7EACD506EBD593A9BCA811DC9C5D420E141
                                                                                                  SHA-512:5ED6163BD09A81D50059B816B3D188DDABA7F032C091CD21205F081CA1B4BB902129A5AA87ADF55B5910B193721226F2E82CC53D9A0DF0D833933F798FCF5471
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!v.!v.!v.(.T.$v.!v.2v.(.R.#v.(.D."v.(.N."v.(.S. v.(.V. v.Rich!v.........PE..d...).9S.........." .....$..."....... ..............................................T........................................................p..<.......X....`.......J..........8....0...............................................0...............................text............ .................. ..h.rdata..<....0.......$..............@..H.data........@.......(..............@....pdata.......`.......<..............@..HINIT....T....p.......>.............. ....rsrc...X............B..............@..B.reloc...............H..............@..B................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12008
                                                                                                  Entropy (8bit):6.164676951334965
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:C1XYhWsmdZunYe+PjPGr9ZCApkT1rrZgjldrXa+v5lPr9/6onc:CBYhWsmdknYPL/p1P6j7rtc
                                                                                                  MD5:1A2D1119C830079A91FDB0BC96C68E9F
                                                                                                  SHA1:6DFD2D9E82F5ABF807402E81F837DEA3FBF24861
                                                                                                  SHA-256:758732573D0360444173A9ADFEBC41E6295262A2E128F4A7DA973138BD05E1A6
                                                                                                  SHA-512:B8A8F0D970D4ACA797C3AE4F70C32D1068599F1FD802430F75606541F00BCC133B66484DAB0276115E09E39126AC398D54933A7757E4C28EC54FC0E40B869A3C
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............k..k..k..j..k......k......k.....k.....k......k......k.Rich.k.........................PE..d...).9S..........".................dP.......................................p.......R.......................................................P..<....`.......@..$...................0 ............................................... ..(............................text...`........................... ..h.rdata....... ......................@..H.data........0......................@....pdata..$....@......................@..HINIT....@....P...................... ....rsrc........`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):18384
                                                                                                  Entropy (8bit):5.784225074424451
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:KNpdeIDggm1TgXu0HM9CZFuz9ynYPLGKsH:Kp0f1Tg+CM9COZytKU
                                                                                                  MD5:FFF61014618EB5B63F5CBB7457537577
                                                                                                  SHA1:E899E392E493F731B900B36FF3C6AD384D35B129
                                                                                                  SHA-256:764FFF366A21B3D44F3F43BDED347E8BF6ACAEC3F911AEA07555A3D8E26CB407
                                                                                                  SHA-512:E057FC69EBE9E36A8D4DABD23044229450FA606564F28A566233AB014C7433ED515AC0BAE8427E667164518A92F74803719A1DB0066AF17560423C8E6BB6FA9B
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i.......i...h...i.......i.....i.....i.......i.......i.Rich..i.................PE..d...).9S.........." .........:..................................................................................................................<.......P....p.......0..........<....0...............................................0...............................text... ........................... ..h.rdata..\....0......................@..H.data....+...@......................@....pdata.......p......."..............@..HINIT.................$.............. ....rsrc...P............(..............@..B.reloc..............................@..B........................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12008
                                                                                                  Entropy (8bit):6.1656019250857135
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:C1XVhWcj2sFnYe+PjPGr9ZCApkT1rrZgjldrXa+v5lPr9SPp94v:CBVhWcj2onYPL/p1P6j7rLv
                                                                                                  MD5:8A12125138A8F34F9700529363947D5E
                                                                                                  SHA1:996729B5B9A1E85F3B911911AF675C51549F6D13
                                                                                                  SHA-256:392811F93E8DC4BD0BAEEF0DEDC6879DB667EAC0BE894BC6FBCF5BBB776AC98F
                                                                                                  SHA-512:E7AE1C133B9660B791373F1D3BD6765207E6FC1D132687CCE99E267E4945CB9843A47FE53FF0C2A2F20C704F50A8F129514F56675B52FB2C354FC1D829EA62D9
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............k..k..k..j..k......k......k.....k.....k......k......k.Rich.k.........................PE..d...).9S..........".................dP.......................................p..............................................................P..<....`.......@..$...................0 ............................................... ..(............................text...`........................... ..h.rdata....... ......................@..H.data........0......................@....pdata..$....@......................@..HINIT....@....P...................... ....rsrc........`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\install.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):51
                                                                                                  Entropy (8bit):4.239902792442837
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Eyd/MLVLV5rxk6BzX:EydELVLrqM7
                                                                                                  MD5:F03B61C1BE8851BF64E2EB97D4A3AF85
                                                                                                  SHA1:FE502F4ECD1209B3DADA7AC8F4876ED9FB5264E8
                                                                                                  SHA-256:AF5EFC928B43A1A476BEAFC055B19568EBCEE29EF4CEB211353DD218689F833B
                                                                                                  SHA-512:D229E472C0FAC83B5B952D368444DDCAC0DB965D033F29AC9EAB8F55D256BC4BFAB0861F21045A6E3B809F5B76AC30917AF321B3DC5F901F982CF477578ABD34
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:utils\devcon.exe install stvideo.inf STVideo_Driver

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\installWin7.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):77
                                                                                                  Entropy (8bit):4.625480821115634
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:EydKiRgLV5rxk6BzJzIvXYRABAC:EydOLrqMqPYRkAC
                                                                                                  MD5:70271842A0F3305F9A2922EFE95FBED0
                                                                                                  SHA1:8B60A48D3F3CE9BF397B586F88087A291DBE3B89
                                                                                                  SHA-256:A537CF622B5DBAD19587CBC8FE08BBCE8BFE7E49497BECA5784723E876F99415
                                                                                                  SHA-512:B84A1FE296A36346C9658F1A715114FE5A7518FC1E9B9C7A4D08DDFED760ED15626FCD1751EE361CE2D91FA9B19B75873BAA6ED1BB441BB5170DB50473FC2CD0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:utils\devcon install stvideo.inf STVideo_Driver_WIN7..utils\Mirror2Extend.exe

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\installWin7_64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):79
                                                                                                  Entropy (8bit):4.7040270721314865
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:EydRFMyEJLV5rxk6BzJzIvXYRABAC:EydRFYJLrqMqPYRkAC
                                                                                                  MD5:C8D6ACDAF26E7B8FDAF2888E0CAE6275
                                                                                                  SHA1:B46AF328CF18FA3687AE4D9EE06780C21A12B7D9
                                                                                                  SHA-256:DE19F496F5932135FB25AB04EEE9E5A923728DDFBE13499058530239D890240D
                                                                                                  SHA-512:79CF0BEDCB07C72B6FFF243F7B6D90116AF1E558290E873863C5BE6994ECB6A7E4D4A0ED33CB05D0AC3699CD2328B3E4613868DECB77D7B0BBA6CF49AD809067
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:utils\devcon64 install stvideo.inf STVideo_Driver_WIN7..utils\Mirror2Extend.exe

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20944
                                                                                                  Entropy (8bit):5.364902287777804
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:NpXpb9ygWK86AclLjQ/WzRf8aMKnqPndtQrcaceJe0uqmnYe+PjPGyz/wa4/h:59yD6nlLoWB8a5Od+zcuebZnYPLGK5a
                                                                                                  MD5:FD3381A69042E1B01266549549845449
                                                                                                  SHA1:C6D8D4BF754DA24C0C9B39DFF0B336120BF3829A
                                                                                                  SHA-256:86688C2EAFB525E2E0E6723907E15567E426670C6B9934E129218A45F47B117A
                                                                                                  SHA-512:E9CEBA750A44248860A5980475D41358C0E0B78EF65BF823995572AA091804D3AF836A2A456A8C4A394AE57AF2B8589DFBF561D1007A3A600136A0746EFFB479
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w....y...y...y...x...y..n..y..n....y..n..y..n..y.Rich..y.........PE..L...'.9S...........!.........................0......................................s........................................`..<....p..X............:..........H...`0...............................................0..T............................text...<........................... ..h.rdata.......0......................@..H.data........@......................@...INIT.........`.......0.............. ....rsrc...X....p.......2..............@..B.reloc...............8..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12008
                                                                                                  Entropy (8bit):6.040113518412221
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:Dq8YdZrnYe+PjPGr9ZCApkT1rrZgjldrXa+v5lPr9NH7:Dqjd9nYPL/p1P6j7rd7
                                                                                                  MD5:3C1EBF4DFC9685F1D584F0D6F421391C
                                                                                                  SHA1:99FB5FD1A755AC038818776C6FCB964FD027334F
                                                                                                  SHA-256:237BC4CD7AC38B503EF2D319C484EEAE07562AB09629C218B5C5BEEB8D5A8586
                                                                                                  SHA-512:84C5DCFBAEA40091F7D1D5003414FFA8926B3CEFFADD08071297C5F5A6929557D8EF36BE22181431CA56E773669CD1F15DCFA16494C935EF0C15707102A4A73F
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q....................................................Rich....................PE..L...'.9S............................>@....... ...............................p..............................................P@..<....P.......................`..0... ............................................... ...............................text............................... ..h.rdata....... ......................@..H.data........0......................@...INIT.........@...................... ....rsrc........P......................@..B.reloc..V....`......................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11728
                                                                                                  Entropy (8bit):6.807178448617145
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:KHpo0tYsmKZWZ3/ECwTnYe+PjPGr9ZCApkT1rrZgjldrXa+v5lfr9mOsPkHsV:Pe+jwTnYPL/p1P6j7TmOfHsV
                                                                                                  MD5:36F961C6308CB0B919E659EB1B738AFA
                                                                                                  SHA1:FC795A8FD24CBB3267474D99922CFF1BEE5F242D
                                                                                                  SHA-256:4212786F0C3D5A00502A5926DE4E111BC9ABB84A4953C93DA6E17DCE4EC902E2
                                                                                                  SHA-512:923A0C4B1454C4DEDA5AFD423B34D51FD9AECBBFC610006FC062CF031C81D4A2FDC94098E9DCA4FC16B25FE0766ECDEC12F450E8E4BC701F17832D3715F70C91
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0.-...*.H........-.0.-....1.0...+......0..]..+.....7.....N0..J0...+.....7........PW3.@.<...`.c..140331064154Z0...+.....7.....0...0....R1.5.4.3.1.9.0.6.C.F.3.8.F.8.6.0.1.1.8.5.5.2.3.8.2.B.A.9.6.B.B.D.7.7.6.A.5.7.3.1...1..c0:..+.....7...1,0*...F.i.l.e........s.t.v.i.d.e.o...d.l.l...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........C...8.`..R8+.k.wjW10....R2.9.7.2.3.F.C.3.1.1.0.6.4.6.4.9.3.F.8.2.4.3.9.D.A.8.1.C.0.A.B.A.8.7.B.9.6.3.1.7...1..e0<..+.....7...1.0,...F.i.l.e........s.t.m.i.r.r.o.r...s.y.s...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+...

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15824
                                                                                                  Entropy (8bit):6.022305855965037
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:cdot9XqRolBJB3gP9tRHY8QjSec95NLnYe+PjPGyz/wOgjJ5Q7:cduaCvJQY8QjSz9vnYPLGKGI
                                                                                                  MD5:AF512AA3612DEA5C2E2FAE866898EED5
                                                                                                  SHA1:803810F8648832AB81DDF3B3C5862077EF6AFD4F
                                                                                                  SHA-256:FBBEE200CBD1663A0F6D6F9FAD4502004DD4922C2257CC8AF6CBFB4DE1CBDB12
                                                                                                  SHA-512:857D6F4F13ADACE91E7C90B6CADF601C87F3D98C9916C3D6079B153A48B7A9F16A5DB79B92D9E087F1646FE12DD65890292475D2D4DD0C823354EAA0B4BA5939
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..)...)...)...)....... ....... ...+... .../... ...(... ...(...Rich)...........PE..L...'.9S...........!.........6............... ...............................................................................`..<....p..P............&..............p ............................................... ..h............................text............................... ..h.rdata....... ......................@..H.data....)...0......................@...INIT....H....`...................... ....rsrc...P....p......................@..B.reloc...............$..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4694
                                                                                                  Entropy (8bit):5.249583632564649
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:E+5iOJLGq6BFPmfsLkfsof96zdUyLiypkTsTetTtqBlFL+WC:E+5iOJLGqsFPmfsLkfs86zdUyLiypkAU
                                                                                                  MD5:BA4F5D984CB8611E64BFCEDE9C3B8E93
                                                                                                  SHA1:AC67AA1C6C892FC04FC740647815F74C6671DD34
                                                                                                  SHA-256:A31E1D6AE465C93B847D47BCECAE94E24B918BFF73DD7D9B31E6789322591DDD
                                                                                                  SHA-512:16F3528FA573C612A0CF1BB772FB3C3DE2C4EBA619621E33DE0337D0954DE115BA39FAD0D7FD9816849E2BBC430EB84AAA802AA9F861F0B94EC890C9E19BCEBD
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:; stvideo.inf..;..; Installation file (.inf) for the splashtop device...;..; (c) Copyright 2011-2014 Splashtop drivers ..;....[Version]..Signature="$CHICAGO$"..Provider=%splashtop%..ClassGUID={4D36E968-E325-11CE-BFC1-08002BE10318}..Class=Display..DriverVer=03/31/2014,1.0.2.0..CatalogFile="stvideo.cat"....[SourceDisksNames]..99 = %DiskId%,,,....[SourceDisksNames.amd64]..99 = %DiskId%,,,\64bits....[SourceDisksFiles]..stvideo.dll = 99..stmirror.dll = 99..stvideo.sys = 99..stmirror.sys = 99....[DestinationDirs]..DefaultDestDir = 11..stvideo.Miniport = 12..stvideo.Display = 11..stmirror.Display = 11..stmirror.Miniport = 12....[Manufacturer]..%splashtop% = stvideo_Mfg, NTx86, NTamd64....[stvideo_Mfg.NTx86]..%splashtop.DeviceDesc% = stvideo, STVideo_Driver..%splashtop.DeviceDesc% = stvideo_win7, STVideo_Driver_Win7..%splashtop.MirrorDeviceDesc% = stmirror, STMirror_Driver....[stvideo_Mfg.NTamd64]..%splashtop.DeviceDesc% = stvideo, STVideo_Driver..%splashtop.DeviceDesc% = stvi

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12008
                                                                                                  Entropy (8bit):6.040343349200973
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:Ddg2s4nYe+PjPGr9ZCApkT1rrZgjldrXa+v5lPr9xu5eF:Di2hnYPL/p1P6j7rxbF
                                                                                                  MD5:46DF2F9B00DA96B8603F472EC4BEB416
                                                                                                  SHA1:AFB25F23A849DAFECA73DFA6B0DF428619F6224E
                                                                                                  SHA-256:8196CA7ED6BF904E00E2A2955AC8288801AA3983384268D5DF85F52AE10FC974
                                                                                                  SHA-512:0284D0D1A025AED097C375343018DF023A7058CF741BFDE9D97DC647548BD18C05B068268818E6542954BDBB1FDF0B992277C565865A2084DF9BFA2E33A9FBDC
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q....................................................Rich....................PE..L...'.9S............................>@....... ...............................p.............................................P@..<....P.......................`..0... ............................................... ...............................text............................... ..h.rdata....... ......................@..H.data........0......................@...INIT.........@...................... ....rsrc........P......................@..B.reloc..V....`......................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\Mirror2Extend.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):57856
                                                                                                  Entropy (8bit):6.214858942297855
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:T6pztvRXL6L1T9mV0OTpJoNGDP5t2IhmX+o:T4tmL1EXCNGVt2IhmX+o
                                                                                                  MD5:3B83E955AB0C3A815E0ED69EB6407C52
                                                                                                  SHA1:995657C40BC9A28D36AFEA59FE8549B916F81B95
                                                                                                  SHA-256:0C2EBB467661D404BCA91A080CCA0E5836797EFC474B62A3D22FB3419E3C8B52
                                                                                                  SHA-512:1943EB1AFE81116657CBB33E87C7683CCF6D9EF22F59E5CEE840705E486A176DB5A7D67114A46ECDFC47A1B351F94DDEC72A05BDFB29CA6709CC696D877FDEBA
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........X..SX..SX..SQ..Sz..SQ..SH..SQ..S;..SQ..S_..SX..S...SQ..SZ..SQ..SY..SRichX..S........PE..L.....M.....................D....................@..........................0......|.....@.................................T...P............................ ..@...p...................................@...............(............................text...4........................... ..`.rdata... ......."..................@..@.data....+..........................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):77824
                                                                                                  Entropy (8bit):4.995224286140262
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:3zrhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkA:3+KY04RMmSCYmBiF4O7WT
                                                                                                  MD5:B40FE65431B18A52E6452279B88954AF
                                                                                                  SHA1:C25DE80F00014E129FF290BF84DDF25A23FDFC30
                                                                                                  SHA-256:800E396BE60133B5AB7881872A73936E24CBEBD7A7953CEE1479F077FFCF745E
                                                                                                  SHA-512:E58CF187FD71E6F1F5CF7EAC347A2682E77BC9A88A64E79A59E1A480CAC20B46AD8D0F947DD2CB2840A2E0BB6D3C754F8F26FCF2D55B550EEA4F5D7E57A4D91D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P............@...... ..........................lm..........p....................@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):81920
                                                                                                  Entropy (8bit):4.977706172799676
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
                                                                                                  MD5:3904D0698962E09DA946046020CBCB17
                                                                                                  SHA1:EDAE098E7E8452CA6C125CF6362DDA3F4D78F0AE
                                                                                                  SHA-256:A51E25ACC489948B31B1384E1DC29518D19B421D6BC0CED90587128899275289
                                                                                                  SHA-512:C24AB680981D8D6DB042B52B7B5C5E92078DF83650CAD798874FC09CE8C8A25462E1B69340083F4BCAD20D67068668ABCFA8097E549CFA5AD4F1EE6A235D6EEA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......|.....@.......... ......................................X}..........p.......T............`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsb.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):542216
                                                                                                  Entropy (8bit):6.466753301083591
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:TXL84WA5C/KIcgHrlti0XoppdpRFT/FKf51PnofX09v:TXL84lopcgRti9FT/FKvnuX4v
                                                                                                  MD5:BB241F864550BFA8AD2346C65E0CE41C
                                                                                                  SHA1:378769EE7D6CA44554103E6A23F1BD20BB9E2564
                                                                                                  SHA-256:58C4394BBE98BA2B9344209CDC98F5DB854A385ABEB4C74BD111B0ED661D1D61
                                                                                                  SHA-512:68CF0A4CC802A10C218B3155D427DA5DFB6EDEA7671A41D016A5844011896C84490123E008CDAC2A4C5C60150B777F6742BA47A95050DFC1DBDEE20E332765EC
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s.gS..4S..4S..4.`.5Y..4.`.5...4.`.5I..4.l.5C..4.l.5Y..4.l.5...4.`.5B..4S..4...4Gm.5Y..4Gmh4R..4S..4R..4Gm.5R..4RichS..4........PE..d......e.........."....$.....B......p".........@....................................9.....`.................................................d........p...........A.......(......D....&..p....................'..(....%..@............................................text............................... ..`.rdata.............................@..@.data....5..........................@....pdata...A.......B..................@..@_RDATA..\....`......................@..@.rsrc........p......................@..@.reloc..D...........................@..B........................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsbVhciCtrl64.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2816416
                                                                                                  Entropy (8bit):7.82236063017737
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:wVaHMTDMmyUZe4RF+A8LO9Us1BXEne0Nxx4kta2R74IIjvmIFe5mxoDpuBw1s31n:wVTuERKy9v1BXEne0Nxx4kta2V4IIjvZ
                                                                                                  MD5:DF362B11095D0F59ECF9DDC0DAF61B12
                                                                                                  SHA1:6BB3B490F048FD1306D714651F6C2C488BC318D9
                                                                                                  SHA-256:BAFA22DA91BF2B44E4EFBBDFB8D7FB64B6F8A04569F2737EA49C384CDAD193F7
                                                                                                  SHA-512:0A03BBF0DEF16E78556041DAC5EF003957384C37F07B08EBC0917921DC30189C2E3CFF7F91F369BD7195A8EE3E84D194113F0D889897C5679DEA263F27821FFE
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...2..e.........." ......*...... ..0.I..0....................................J.....v.+...`...........................................I.\.....I.<.....I...... G.......*..-..,.I.............................(.I.(...................................................UPX0..... ..............................UPX1......*..0....*.................@....rsrc.........I.......*.............@...3.96.UPX!.$..c-rX...OI>H...*...G.I..l....H....F........@.AWAVATVWUSH.. A..|.........................f.....{...... H.5.....}..g1..H..>t.(...%.....?..v......=u.f=.....<......"g.|.....w..H....M..I..eh.%00.....p..P.7...t$H9.....-...=.uv.T...5!..u......f....,...>.u....H........#.a.2...&/.d......[..a.D...R....t.L..A.....{..O......E1....D.....m. []_^A\A._.a.y(.p...f.._....Uc(L.9^A..1>l..t....y..v.....z....G..w**.....$(...SW...)...,...."[\...=...2s.....E....F1...&;..v....y.wp.....t#.

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsb.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):465928
                                                                                                  Entropy (8bit):6.6188868975232875
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:nmELSchToqY92QUOMIsV7iPSdutxml26jmlE662:bnAUF1pAb
                                                                                                  MD5:12A3EF8EF5D70994B9500FA0801F8903
                                                                                                  SHA1:C06C2AC1CC4B7D50DDFD36E32CDB2274618294B7
                                                                                                  SHA-256:520C5A35F943B06888A96339EB2B8B5BEEB70046B5835DC0190AF77B4E0824FC
                                                                                                  SHA-512:EF4AE07C1F2A636D57F5FA64505CE8CA581FAFD450DAC9FFAED69B84259BC21A3632E401577FA996C5C699352B07325CA7CB4CF82FD46E3C98E506E08B3125E0
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Lyqa...2...2...2.j.3...2.j.3...2.j.3...2.f.3...2.f.3...2.f.3S..2.j.3...2...2...2.g.3...2.g.2...2...2...2.g.3...2Rich...2........PE..L......e...............$.X..........7........p....@..........................@......B ....@.................................4............................(......t8...P..p....................Q...... P..@............p..8............................text....V.......X.................. ..`.rdata...A...p...B...\..............@..@.data....%..........................@....rsrc...............................@..@.reloc..t8.......:..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsbVhciCtrl32.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2581408
                                                                                                  Entropy (8bit):7.8335475472495375
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:bGF1tZkcS3fy3i9Ov8l6/kKkN6PLsCzvDxg7abakf35UXAtuwHgLYV1G4DW1L6Ky:bs1kcS3fy3pv8l6/kKqiLpPuabakf35n
                                                                                                  MD5:348AF13556E619DA13459047DAB625B9
                                                                                                  SHA1:6F3CB9022C715AFC6156A44A73D9D10147AB6CA4
                                                                                                  SHA-256:75BDBB78A7CEE839496A8E643E2E631D04E243C4B466F3AF7FCD8C8A01288807
                                                                                                  SHA-512:344C43F62910CF5D1B31AA3A17E0A581C438055D49DC59071574F3D1A500C0945AFE89C2AB54045140B4EB79221B5A7E0814056C5600055FD3A0D458436D9CC0
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...[..e...........!.....0'......."...J..."...J.............................. J.....+-(...@......................... .J.\.....J.......J..............6'..-..|.J...............................J.....................................................UPX0......".............................UPX1.....0'..."..*'.................@....rsrc.........J......,'.............@...3.96.UPX!.....'.tl..8..I..''...H.&...o...h.>e....`....f.USWV....D$........tz....M".R...-..........5..p..a1....>t...."}..........h.....9u.=s.Z.^.......>..6...........nd...h.v...k../...t 9.t....{3m.7.u.-.E.n..~.u.j..."L.".}u......2e.J ....PQ.......k.PC..$...z........X.IL.6t......t$.j.....C...1...........^_[]...V.L$.TJ...$......a...P...^^Jf..4...?......UX...._/............F.^|.<.w&.VW...v.t...v%.!."LqO...."..9...,...WJ.d.....)Rj.s...W.h.G]....qA..<$G...C*.+t..G.#..@?.1?.....x7....$./...h..".ul......

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x64\SRWacomCtrl64.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3116552
                                                                                                  Entropy (8bit):6.392745373577217
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:bPZ5TNGpStg+wTMz3Q8giStLONyAppqk8W+OcVpcL0865eGzYPcL1l:gtMziR8k1DcLv6xL1l
                                                                                                  MD5:9CA925B6A0CFA7F8B0222233B3494D05
                                                                                                  SHA1:20EF67FDEA63178B92D2BF4755C02687DC9D9022
                                                                                                  SHA-256:5C66BE5F5D9A8CD7CBD5F31EF3AAFE7A422186E9B21AC564B58362508BF0583A
                                                                                                  SHA-512:FBF69CAB559363EE0C16E4F04A7A3BED101B1B7D96383D2E092DE6EED505522CC7D1FEA1900FB0A63293BDEE34A5006583A1540D61043439CCE4EB12FF505879
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......)r.3m..`m..`m..`.a.aa..`.a.a...`.a.av..`.g.ao..`"o.a|..`"o.ag..`"o.a#..`.a.a`..`m..`...`.o.ae..`.o.al..`.o{`l..`m..`l..`.o.al..`Richm..`........................PE..d...)..d.........." ...".:...`......l^......................................../.....M.0...`..........................................,.X...(.,......0/.h....P-......f/..(...@/.H... .*.p.....................*.(.....*.@............P...............................text...|8.......:.................. ..`.rdata..ZM...P...N...>..............@..@.data........,..p....,.............@....pdata.......P-.......,.............@..@_RDATA..\.... /.....................@..@.rsrc...h....0/.....................@..@.reloc..H....@/.....................@..B........................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x64\SRWacomUtil64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32264
                                                                                                  Entropy (8bit):6.549378989734658
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:3mFO3OkMgk4tx/knVGuOA0R2dEpYiTPxchfU49:3SO3trenVODR2W7TPxchfUg
                                                                                                  MD5:48C3A4A2FA37A0BFC5BD90874A63AF44
                                                                                                  SHA1:27A3FBF2603B36DD972401CF8B976FBC282A2C3D
                                                                                                  SHA-256:3822BE932AED0A6E5C5A9F3CD80440AD96C8248F187F67324221A58AF5276296
                                                                                                  SHA-512:F261A54AF5B0204B8018B5844CDDA6BDC1F399AB3375BF171B8E7081A9BCA583D061F7182EA140E5E2A9E42916C78C2C7256AF516B15EC16AD51AD8ADFBC57EA
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........[..:..:..:..u[..:..BX..:..BN..:..BI..:..B^..:..:..:..BG..:..BY..:..B\..:.Rich.:.........PE..d......d.........."......*...(......,0.........@....................................<.....@..................................................L..d.......l....p..D....V...(......L....B...............................................@...............................text....).......*.................. ..`.rdata.......@......................@..@.data........`.......D..............@....pdata..D....p.......F..............@..@.rsrc...l............L..............@..@.reloc...............T..............@..B........................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomCtrl32.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2403848
                                                                                                  Entropy (8bit):6.7207202597413875
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:FgGdcX0zBXVSNi2z4xw4G7NyzRP1ikMHeBNWHr:F4X2ikxwTNsi7
                                                                                                  MD5:4CF09B45FEE4FD22DC22B0AF706E4D80
                                                                                                  SHA1:86A6E08A3F7C315F1FDE9A9499EE91EE6A0F1407
                                                                                                  SHA-256:4D925CF495ED97B7B73F7A93B01F7C529B55EB4581479120D235DC9263D06A3D
                                                                                                  SHA-512:FD4B8E15B5A2C0B5045F039E2498D1CEFA5BB4913E302C56E6B84526279D36378D87E9269435B5AF644BA019CF056BF47E818F192FDD9D35F1AC8CF8D6DDD531
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.q8.."8.."8.."...#*.."...#..."...#/.."...#:.."w..#).."w..#!.."w..#s.."...#5.."8.."..."...#0.."...#9.."..%"9.."8.M"9.."...#9.."Rich8.."........................PE..L......d...........!...".............W........................................$......$...@...........................".X...8."......`#.h.............$..(...p#..o....".p...................@."......".@............................................text............................... ..`.rdata..............................@..@.data...pr...."..N....".............@....rsrc...h....`#.......#.............@..@.reloc...o...p#..p....#.............@..B........................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomUtil32.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):29192
                                                                                                  Entropy (8bit):6.708144938787245
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:EJVI3R0H/aWeIUhwNslRPbJyRefvcO+mVMWehLNyb8E9VF6IYiTPxcbdGgktyVEF:EJKMC8NsLPtxcO+AMPlEpYiTPxchOF
                                                                                                  MD5:A958758134E6D61D45BA0C4968380A8B
                                                                                                  SHA1:F40142518B13782CD2A06844CD8147B337E459DA
                                                                                                  SHA-256:30FD28720C7235F45140ED0642A4C71FF0DB1E93362D5694D87026DDA14992F9
                                                                                                  SHA-512:1645C335C36AAC6A6BD2A74E41F7176776E70B696705F491CA8CCD6E99A54C3ECBC52E8BA081E9B0E57F5C08E0546D5302A7D28D72C350EC08446D54457360D1
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U(...I...I...I...Z..I...1Y..I...1O..I...1H..I...1_..I...I..sI...1F..I...1X..I...1]..I..Rich.I..........................PE..L......d.................&... .......+.......@....@.......................................@..................................F..d....`..l............J...(...p......pA...............................C..@............@..H............................text...K$.......&.................. ..`.rdata.......@.......*..............@..@.data...0....P.......:..............@....rsrc...l....`.......<..............@..@.reloc..4....p.......D..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Elevator.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):107312
                                                                                                  Entropy (8bit):6.447984928648711
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:BTeWLZrzci/8dbquofWnRADp2y6hX2hbTYzLhrhkphDZ52DBXN+vl/DFS:BCWFfqbqaGnGzLhr82DBXN+v2
                                                                                                  MD5:BCEF2D42768A816AF7CD60391CBA3C0E
                                                                                                  SHA1:E17EC512C595318DC5F282CB73B71CFCB0B52A7E
                                                                                                  SHA-256:0EA236D80EFFA865F73E728D06790AB5583660EC915C979E8D96CAF692B6FE80
                                                                                                  SHA-512:389B36A464C417AAAE16A229F004A01D4F1EBC8F3D8E8A4D12B5AA82D9BA5EDE4A139B3999BAF1D9BF862D3B4BD5A6A0D89CC0A3561E8CA15EF19AA771DEE475
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r...r...r...{...f...{.......{...D...{...}...r.......{...p...l...s...{...s...Richr...........PE..L......U.....................l.......W.......0....@..................................0....@..................................\..........................0............2..............................@N..@............0...............................text............................... ..`.rdata...6...0...8..................@..@.data....-...p.......V..............@....rsrc................h..............@..@.reloc...............n..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\NvFBC.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):76752
                                                                                                  Entropy (8bit):6.281018016209332
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:TMM1hIpiOe7unK1L0RW7Z4tk05ZpJBkkmN6/2EvK6k:TMM/hOeSK1DZ4tk0/B7OEvK6k
                                                                                                  MD5:8CED2B2F0E61A1BA20D63B24A41E1234
                                                                                                  SHA1:9731E2756EAB7A902DA1A72C0F1DC008425037C5
                                                                                                  SHA-256:44DB8AF61B92B39C805B136D2FB608D9D9082F051DDBD9AEE9E3A760B34EFF13
                                                                                                  SHA-512:087596DC595B786D74087BCEEA2F1A9B46F4EADCB1162201F32CB05B9BD207520C617AD849CD52788B5C2E579CF72B2B1BB7A5265D10B450B5E6FB8D17D1C07B
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......].mt...'...'...'v..'=..'v..'...'v..'q..'>+x'...'...'...'...'r..'v..'...'v..'...'v..'...'Rich...'........PE..L.....jP...........!................VE.......................................`...........@.........................`...........d............................@..P.......................................@...............t............................text...'........................... ..`.rdata...8.......:..................@..@.data... 1..........................@....reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PinShortCut.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):91432
                                                                                                  Entropy (8bit):6.020228136904558
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:5UBy2mcawf1jBALblIkWHgMCtd+DIO6iUY:SyNcRjyLKGMCtd+DtDUY
                                                                                                  MD5:B510DA2C973FEB05803F124D0507D3A4
                                                                                                  SHA1:8F1344CEF1DB998698E1467AD22E30ED3BCE584B
                                                                                                  SHA-256:A39DEBD7558B4E769AC277A7D05B532318AB7774490310F76BDFE9E55240D9CA
                                                                                                  SHA-512:AFC90D52B19B5E8186C62F5F1B720AB68EB34A997D3099824C7396FCC74D1ED76063BA1541FAAD999806BCFCC375909636E48EF36957157AAD766256B2999E6A
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7.B.s.,.s.,.s.,.z...b.,.z...K.,.z.....,.z...`.,.s.-...,.z...w.,.m...r.,.z...r.,.Richs.,.................PE..L....^.R............................@9............@..................................?....@.....................................x....0..x;...........L..(....p..X.......................................@...............x............................text...7........................... ..`.rdata..N0.......2..................@..@.data...............................@....rsrc...x;...0...<..................@..@.reloc..z....p.......2..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PkgHelper.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):170960
                                                                                                  Entropy (8bit):6.545608024132094
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:k4UWlA7/ZJoE1s76gv/vKnGStqzWTBflx+FOGqK1:PY7/3s76ginGS4zWTBQv
                                                                                                  MD5:27CA510E2DDFE647F742F98C2EC6A7F7
                                                                                                  SHA1:1F422E39770D9565460F881D078D8C335B678255
                                                                                                  SHA-256:41BA7791F830EFBDF5F942A0B6DCF98C6A7D37B7DC06EED21F86AFBED0215C9A
                                                                                                  SHA-512:ACBF7A23FB033ADB314466324AF6D1C6F543F6FADB6439B3E80F35467432754396667C9CA511A4D8AC3178BB51CD61EA3D94755436EFA9231EA362282C5FA2E4
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9..Kv4..9...A7..9...A!..9...A&..9...A1..9...9...9...A(..9...A0..9...k6..9...A3..9..Rich.9..........PE..L...8-,Q...........!................L3...............................................h....@.........................@[......(S..<.......|.......................0....................................G..@...............l............................text............................... ..`.rdata...k.......l..................@..@.data...87...`.......J..............@....rsrc...|............b..............@..@.reloc...............h..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAdemWrapper.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):103432
                                                                                                  Entropy (8bit):6.507042602680481
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:W6HdKQFG0im9CyE0rWB4f/j7rvHLoFbGugan639SNxsWb8cdrewxJ1oz2BxnI7Hr:RHu0im80GM//rvHiP6tSDr1J1DxnIrj
                                                                                                  MD5:C206EC43716412F6EF3D34E982DB52A6
                                                                                                  SHA1:3F9107DD8E7D22BAD64D93B73CBAFC05FB784978
                                                                                                  SHA-256:A1405EE37B7332E6C5EEF536E3682579C6D32D04E7B35C63E3B5C6E470F4DC43
                                                                                                  SHA-512:37DD1DFB0485C912AA540F2223C6B721F125F5C8A07A6D1C822A690AD96211218FE9365FD0AD8A9540A1DF34F5BCA50F308A7F26E5032D2DA6F81C7C55377976
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......q..r5.!5.!5.!. ?.!. ..!..n!7.!3m. '.!3m. !.!3m. ..!. #.!. ".!5.!..![m. 3.![m. 4.![mZ!4.!5.2!4.![m. 4.!Rich5.!........................PE..L......f...........!...&..................................................................@.........................`Q.......R..P.......x............l...(......T....A..p...................@B.......A..@...............l............................text...z........................... ..`.rdata..Jk.......l..................@..@.data........`.......H..............@....rsrc...x............T..............@..@.reloc..T............Z..............@..B........................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2032648
                                                                                                  Entropy (8bit):6.729617797377189
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:PSkcdKH5rIZ/iMdG44DhONCm/HZigKqiuBzxCdfHmsMOG/fh+WyCkVRG1RruS:PtUKH5rCiMdAPm/ggKqiuBEEZ
                                                                                                  MD5:BEC6156158A67602B09CF0DA73030C97
                                                                                                  SHA1:7D3B3F04B1B0687C2F57B4EEF16025E5B510078A
                                                                                                  SHA-256:915AB66486EBC2D53E00FB67009E9075F5F38362EC9991DEA0EDD22E1F376B85
                                                                                                  SHA-512:83A9DB2A90BF15FBFAA11FA22CA360645B0DC75DFD6EC78CD8E92D1545B25661338D748B2BC135382E46CE14825E4C1E93AC08F5F9D7C357FF60FE1748F06A3D
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$......./...kq..kq..kq......zq.......q..b.&.jq..m._.jq..m.~q..m.qq..m..q......wq......iq......Nq..kq...p.....q....].jq..kq5.jq....jq..Richkq..........................PE..L.....f...............&.............C............@..........................0......,n....@.................................t...T.......P................(......HD......p...................@.......8...@.......................`....................text...|........................... ..`.rdata..V3.......4..................@..@.data........@...j...&..............@....rsrc...P...........................@..@.reloc..HD.......F..................@..B................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRApp.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2834952
                                                                                                  Entropy (8bit):6.539664758973578
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:umSsYqrQaFT1BlliPYksB+zAAWTnlOSF+5T3Yr81C2MThk1kHW1l1R:umSsRbBriPxv0AIlOSF+5T3Yr81C2PSm
                                                                                                  MD5:1F7098CEB237AEEED163E9756BBB90A2
                                                                                                  SHA1:BA3B3CE92EDE19D79D8590F14DF6360CEF45BC0A
                                                                                                  SHA-256:FD546CA96FA59E9E230C971F1EA8300671626B3E539DA38229FEF2D31DF39E37
                                                                                                  SHA-512:EB7EC85184EEBFD80F81CA7FD357F1F069B3B3C8EB67C1399E39B26E088CE8ACAECBB7F3F303E2493D86F26BC554C45B2B09D902FE011F1D16ACECC22E9C42A2
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_...>..>..>.{L..>.{L..>.{L.q>.{L..>.{L..>..>..=.....>.....>....=?..FV..>....>..*..>..>B..>....>.Rich.>.........PE..L......f...............&.t........................@...........................+.......+...@...................................!......."..............+..(...@).._.. ...p...........................`...@...............L............................text...Es.......t.................. ..`.rdata...-...........x..............@..@.data.........!..n....!.............@....rsrc........".......".............@..@.reloc..._...@)..`....(.............@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppBS.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):530952
                                                                                                  Entropy (8bit):5.635258243014462
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:BLuEfa1wzyLFLdpirf61es7BHiUG9CrtiU4/+kwltmfjLvr:wEf9zyLF5UwiUrvQ+kwKjLT
                                                                                                  MD5:DB58A250AF70BE2601B780E38954CAB8
                                                                                                  SHA1:5778BAF30357176D48716B4B26F38EB50EDDCD38
                                                                                                  SHA-256:EBCF29B4EABE11BA7C3BB144C0ED56F3436DC0DDB444FEA9ED46D3DC65EEF2BF
                                                                                                  SHA-512:FDD880568235ED4817678223176E76F19EBAE59117C8A03AF146594D0D231D87B8C9530D9D0EE4A13AD28063BDD79F6A8B17DC5E45429F06C85B189971BCE8E1
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........D...D...D.....O.........B...P...B...S...B.........\.....a...D...z...*...Q...*.W.E...D.?.E...*...E...RichD...................PE..L......f...............&..........................@..........................0......q;....@.............................................(................(.......(..0...p...........................p...@...............,............................text...=........................... ..`.rdata..............................@..@.data...H#..........................@....rsrc...(...........................@..@.reloc...(.......*..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2856456
                                                                                                  Entropy (8bit):6.5272320223066655
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:yxNLfsfB4HLnvkoRImtbOzNSv7kgYNaN/AS2X8bVD91kHWj0f5co5G:yfzKB47hImIzNSv7nYNm/AS2X8bbSWQi
                                                                                                  MD5:A490F9458C33BD398784F2A279191FE5
                                                                                                  SHA1:75608EFD13EC19A2BD9ADAF4A3C213FE8B56B58C
                                                                                                  SHA-256:A4291F8933C7C7F86F41B6D8C55B38B32D423CA2DE2FD849BFB34CFAA3A423C9
                                                                                                  SHA-512:7FE5000E801E23D7F606B44E630069B3B1DA3610B7F24710DFC45692D5C1F630CAE0008CE7EC64F943725A33A290FD22621DEC7FF0B22496A7A8A79F95777F3D
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............z...z...z.u.y...z.u.~...z.u.....z.u.|...z.u.{...z...{...z..:~...z..:y...z..:..0.z..:s...z..:....z.....z..:x...z.Rich..z.................PE..L......f...............&.R...r.......I.......p....@...........................,.......+...@...................................!......0"..d...........n+..(....)..^...+..p...................@,.......+..@............p...............................text...?P.......R.................. ..`.rdata.......p.......V..............@..@.data........`!..l...<!.............@....rsrc....d...0"..f....!.............@..@.reloc...^....)..`....).............@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioChat.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2847752
                                                                                                  Entropy (8bit):6.646321260816477
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:hUgpR+7j3bGHrQcZ3nEiNd1fcpV8IjaKQXRoiQztOhvduynwtDWNOIuXm1:KgpR63bS06d1UpV8IuKQXRoiQztOhvdD
                                                                                                  MD5:D594E5BBE16CE8113E6DF65D5465BD8B
                                                                                                  SHA1:0BD07C53236027E0166A50C367ACCE705044D094
                                                                                                  SHA-256:8F4EA2D03D82EFEA0E5BC5D9D8C9ECF9295ED44D5CCB04B6B09B2458A0D6D15E
                                                                                                  SHA-512:22CEE98B633A0BE3276294BF484F20EA5AD02AEC51A772151AAA4430ACBF395ACECEF7EDDCB862B0BDA27784A1EB502497C1FED18620FF08952209814B0930F7
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........#`..B...B...B...0...B..o....B..M....B...0...B...0...B...0...B...0...B...B..nA.......B.......B......LC......B......B...B...B......B..Rich.B..........................PE..L......f...............&.l...J......kt............@...........................+.......+...@..................................9!......`"..............L+..(...p)..d..pI..p....................J.......H..@............................................text....k.......l.................. ..`.rdata...............p..............@..@.data.........!..l...n!.............@....rsrc........`".......!.............@..@.reloc...d...p)..f....(.............@..B................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioResample.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):126984
                                                                                                  Entropy (8bit):6.665230260582452
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:35P5B8wltn9s2x5eSeKiifjo2QqEF+bppW1rHIZkrMc:315ds2x8Szi6jo2Qbx5ikrv
                                                                                                  MD5:A84334EDD4524897AEA6A3E48AEE1370
                                                                                                  SHA1:8505D4B14647D44CBB2F6E7B9F03B2B96840A920
                                                                                                  SHA-256:40EEFBA6B13C35261CBA798DFB07F87A1F314879C3B381DC19BD2F187C42F2B1
                                                                                                  SHA-512:7C46A7B483BF0F3889CD4DC882E3739769DCA2476F8970BEE73C6FF823716CBD814D8AAE51CE9DB31D4EEC559D8C1BFEB6188B6CDAACF3E47D497A643390C6BE
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................'......'...|..'.......H......H......H.....'...........H.....H.....HX......0....H.....Rich...........PE..L...L..f...........!...&.,...................@...........................................@....................................(........................(......4...(...p...........................h...@............@...............................text....*.......,.................. ..`.rdata...u...@...v...0..............@..@.data...x...........................@....rsrc...............................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRChat.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2847752
                                                                                                  Entropy (8bit):6.646331125534745
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:gUgpR+7j3bGHrQcZ3nEiNd1fcpV8IjaKQXRoiQztOhvduynwtDWNOIuXmq:jgpR63bS06d1UpV8IuKQXRoiQztOhvdQ
                                                                                                  MD5:C3CF8A2B74EFD52301A7E2B60562B88A
                                                                                                  SHA1:EDA9F8F3FCD25698942565698E9806146C7FEE98
                                                                                                  SHA-256:C3AF403890050387E49BB87F2ABFEEB71BFC1F2AD734F19DDCA4B559DC721CC4
                                                                                                  SHA-512:FF24B018A7DC6CC6124B488BB91CA34455595A6E7C3AD49678EFF063ADB922502F2577DAEABAC0E4578E058C53DA23E06EC91D45BA48BA3E1EBDC080FD2F2916
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........#`..B...B...B...0...B..o....B..M....B...0...B...0...B...0...B...0...B...B..nA.......B.......B......LC......B......B...B...B......B..Rich.B..........................PE..L......f...............&.l...J......kt............@...........................+....._.+...@..................................9!......`"..............L+..(...p)..d..pI..p....................J.......H..@............................................text....k.......l.................. ..`.rdata...............p..............@..@.data.........!..l...n!.............@....rsrc........`".......!.............@..@.reloc...d...p)..f....(.............@..B................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDetect.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2462728
                                                                                                  Entropy (8bit):6.459851104824016
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:SMeSnmrodNwPmDeRluqd5RQIVezdmMYilzviNx1Owj9Kh2PY6MZcqqyJk1kHWFW:SMe5rQNw5ew5zVezdmMYilzKNx1Owj90
                                                                                                  MD5:FD682F1C6DB26119E5A5C8CD947A6FCB
                                                                                                  SHA1:B2CC6A6EE4DE7E313A867AFC3251C076CFBC5DF0
                                                                                                  SHA-256:8A1E78F34144613A5F53FDFC5BDEA1B906E4254FEB6828278BE3EF012B050757
                                                                                                  SHA-512:9DB7D8E41AD60373F5A34888F66594CB822A0492CD80D6199809AC9E41170030B6C758F063129CDEBAD5BBFF01D6E5290D71C314B026F16CCF193B5071FFB6F3
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........B..B..B....X....a........C....o..B.....DS..W..DS..U..DS.....,S..T..,Se.C..B...C..,S..C..RichB..........................PE..L......f...............&.8...x.......r.......P....@...........................%.....w.%...@..................................*..|.......h............l%..(....#.x.......p...............................@............P..$............................text....7.......8.................. ..`.rdata..\....P.......<..............@..@.data...@....p...X...P..............@....rsrc...h...........................@..@.reloc..x.....#.. ...L#.............@..B................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiCaptor.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):142344
                                                                                                  Entropy (8bit):6.179488799230379
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:aIRS31UwelTwwoJChcq6UfS/Hqvo+h34cD8DUsWjcd7LX1rd1eC404jaVV7HxOh8:aIvMg6MSqV4bPld1eC401TN
                                                                                                  MD5:F3D3C87B836D2DE41F58E94B079FAD91
                                                                                                  SHA1:F9851BB7165F4C0588E6FA5BC4D90457B6726A9B
                                                                                                  SHA-256:1025A1B6AC27BDEEB58027C18F76E1BF9EBD3D5C4FF4166E63436988EF1FE187
                                                                                                  SHA-512:626D4B3DF71130E2514A96D3557176BE31E5357948ACE5226995311E63A9B75F3B20F1C86ACA0FBE9DE57C005595FEA04E365B863759866A7D2FD000CBFBF0E1
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e...6...6...6^'86...6^';6...6^':6...6...6...6S.L6...6..&6...6..?6...6..<6...6..b6...6..96...6Rich...6........PE..L...+..f...........!.....0...........^.......@...............................@......4.....@......................... ...}...$...P.......x................(...........A..8...............................@............@..d............................text..../.......0.................. ..`.rdata...~...@.......4..............@..@.data..../..........................@....rsrc...x...........................@..@.reloc...7.......8..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiHelper.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):94640
                                                                                                  Entropy (8bit):6.423065206229182
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:iYqYiH1S4d7O6R/S4Ka2ogPgz8KT9Tvx2+wAZLvva24:dqYiV+2Su0wTvI+wwva24
                                                                                                  MD5:F6F00886EE605DECD561BD3465151BD5
                                                                                                  SHA1:2585353A6B42041244661D260CA7885E269A38C6
                                                                                                  SHA-256:126EE74EF2F420292FA5FFC120851D8B62854253568483FCE0DFA4B30F25E0E4
                                                                                                  SHA-512:A919E02F81520D285F769CF7E92EE25C85F2EB1949A29FFF022328E10937AA779477D6641F98EAE6720C0986B46240B7B3442693C4FBA0F70E0EA17E3517BB2C
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h0...c...c...c...c...c...c...ca..c...c...c...c...c...c...c...c...c...c...c...c...c...c...c...cRich...c................PE..L...Tn.^...........!.........f.......T..............................................u.....@.........................p3..|...h+..P....p...............Z..................................................@...............\............................text............................... ..`.rdata...3.......4..................@..@.data....,...@.......(..............@....rsrc........p.......:..............@..@.reloc...............@..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeatMini.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4827144
                                                                                                  Entropy (8bit):6.619100970044717
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:98304:4cfxU/i/TqDXIuIkfsxc8x1fDcSIlIPXRV5h8zyESiInINWNy+N9zIcpqh4T1l63:5fxU/i/TqDXIuIkfsxc8x1fDcSIlIPXO
                                                                                                  MD5:22E13B497D1121567C2AE226C6D47445
                                                                                                  SHA1:FD8F50AEF2DB48F519650430E1B5A735C2679534
                                                                                                  SHA-256:DD9D4F8A07200ACAAE5BC4A9EBDAFF2351849B32400807AABB1DE20A20C73EA9
                                                                                                  SHA-512:E38565C9E74246BDB0D34CA7D0595711BEFAEA59E2CECDA9329D3CFDF5A5DD298D0F47BCC57C056A82D1E18059A8B5D409DD05A507D3DF0528D48A201718BB47
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................p...........!..L.!This program cannot be run in DOS mode....$........{.m@..>@..>@..>.h.?l..>g..>_..>@..>...>E..>L..>/l.>A..>g..>H..>.D.?B..>.D.?B..>Ib,>A..>.f.?Q..>.f.?P..>F.U>A..>F..?V..>F..?\..>F..?'..>.h.?f..>.h.?...>.h.?A..>.h.?q..>@..>...>Ib+>F..>...?...>..W>A..>@.?>A..>...?A..>Rich@..>................PE..L......f...............&..?..z......+.:......@?...@...........................I.....=ZJ...@...................................C.......D...............I..(....H..:..p.B.p.....................B......&A.@............@?.....D.C.@....................text.....?.......?................. ..`.orpc...e....0?.......?............. ..`.rdata.......@?......"?.............@..@.data....e... D..J....C.............@....rsrc.........D......@D.............@..@.reloc...:....H..<...DH.............@..B................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4827144
                                                                                                  Entropy (8bit):6.619105757532515
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:98304:ocfxU/i/TqDXIuIkfsxc8x1fDcSIlIPXRV5h8zyESiInINWNy+N9zIcpqh4T1l6a:JfxU/i/TqDXIuIkfsxc8x1fDcSIlIPXf
                                                                                                  MD5:7C7CA9728B17F0084B2EA765384612CC
                                                                                                  SHA1:20135586A6C38EC6C8A777AD0F83E4E4DF77C9A5
                                                                                                  SHA-256:9E12DBF2A16E2CDE23A9B0F85863C5C2C7DAA5A91A626A188E7E4ECCDC385C77
                                                                                                  SHA-512:96AF7B0ED6AF8868464663DA6AE735A693A3B409DBB786DEB3EEEB8CB8242C7770E729E03A8C4A0672690C5D994A73AE0D788C38D7B45869897900E7ED39B74E
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................p...........!..L.!This program cannot be run in DOS mode....$........{.m@..>@..>@..>.h.?l..>g..>_..>@..>...>E..>L..>/l.>A..>g..>H..>.D.?B..>.D.?B..>Ib,>A..>.f.?Q..>.f.?P..>F.U>A..>F..?V..>F..?\..>F..?'..>.h.?f..>.h.?...>.h.?A..>.h.?q..>@..>...>Ib+>F..>...?...>..W>A..>@.?>A..>...?A..>Rich@..>................PE..L......f...............&..?..z......+.:......@?...@...........................I.....6.J...@...................................C.......D...............I..(....H..:..p.B.p.....................B......&A.@............@?.....D.C.@....................text.....?.......?................. ..`.orpc...e....0?.......?............. ..`.rdata.......@?......"?.............@..@.data....e... D..J....C.............@....rsrc.........D......@D.............@..@.reloc...:....H..<...DH.............@..B................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1867272
                                                                                                  Entropy (8bit):6.692254498803176
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:fa4mao1Xnaau+SDlHnqTVI6y9ThIVaior9ns:fa1B1q/+SDB2m+
                                                                                                  MD5:49C644E6E216BD7DCEF4EB7154D84E3E
                                                                                                  SHA1:E0CF8E3EF61A5F20852D007DEFE52F15BF7C985B
                                                                                                  SHA-256:4C30BB3BFB2F8BEEA56A7A4C7253F7F10A94E1EAC71B434BD59AEBF2C4148E1A
                                                                                                  SHA-512:DE65AADFDB47457EBB719E71F44BE802A16A6FD1DF6D38D5E242C3FC1E062DF0981CC679277B0AA26BFF3727F29B437EFDC0FBF6AA177F348B1CE080AB838ADE
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$................o.....o...d....................eg....e.....e.....e....o.....o.....o.......N........e..?..ee..........e....Rich..........................PE..L......f...............&.r...D......k.............@................................. h....@..............................................6...........V...(......$(......p...............................@...................d...@....................text....p.......r.................. ..`.rdata..&M.......N...v..............@..@.data...`........0..................@....rsrc....6.......8..................@..@.reloc..$(.......*...,..............@..B........................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SROpus.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):330248
                                                                                                  Entropy (8bit):6.7899102550791
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:4aXIREBEBRS1izV0CyJ8XytTl4jqNzmCPOIAOvQ10:kEhCyCOiqNxjRE0
                                                                                                  MD5:7C3B0175C350E6AEA7C5F4F331FB7457
                                                                                                  SHA1:46FE50380B66C64A98B08017DC0D8566D9B22847
                                                                                                  SHA-256:A83CDFC6ADDAC319E9CF2F950958DB790CA430F96D900B5205828EBE9B2829A8
                                                                                                  SHA-512:4B3972EB174AE834B39F34D51D19ACA9EACE14CACC54D0314DFBDE8B38C2A0514E81B5861BEE9CF8465313F6B98DB31B0C2D314B052CC8F5CDF58C7AF7E61AAC
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..y..*..*..*.Vc*..*.Va*d.*.V`*..*...+2.*...+..*...+..*..r*..*...*..*..*F.**J.+..**J.+..**Jm*..*...*..**J.+..*Rich..*........PE..L...S..e...........!...%.V...................p............................... .......5....@.....................................(.......0A...............(...........}..p............................|..@............p...............................text...XU.......V.................. ..`.rdata..n....p... ...Z..............@..@.data................z..............@....rsrc...0A.......B..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):649008
                                                                                                  Entropy (8bit):6.592395353162998
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:EevXOcMAzEExDWdMoe3BlkCwkupdTyu7XAgBn4Dy:9ecPzEExCaoeRqFkcTZjAgBnAy
                                                                                                  MD5:F8F5641394A455FDCC4E493ECCC7F012
                                                                                                  SHA1:02D12D3E6569EB3A669602AB12540DD509F7474C
                                                                                                  SHA-256:4B5051DDDB178BA71D1BFFF29D93693FC8DD73B3117A23E06BF6A3815CD7BA35
                                                                                                  SHA-512:BEC16EF02A11BC84A8B412B4D3F3142DC5532C88F8712C43FCF2397B4D0B6530D7DC7EBB512413C1E260711C0B5DBC454B8FE6E61886ED536953F8315C9EA74B
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......nR.*3..*3..*3..#K1..3..#K'..2..#K ..3..#K7.'3..*3..3..#K..)3..4a0.+3..#K5.+3..Rich*3..........................PE..L.....U..........................................@..........................@............@................................. 1..d.......................0.......pY..`................................................................................text............................... ..`.rdata...-..........................@..@.data....`...@...$...(..............@....rsrc................L..............@..@.reloc.."y.......z...T..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4639240
                                                                                                  Entropy (8bit):6.427553985864784
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:98304:7knkAp/RKEPPtjDFU/HnFSk2IyEWmoV7B2qTXSWJlbg:gRzdKGEWmoV70qdJ9g
                                                                                                  MD5:1B4BEEB773103E60A53321290E72C936
                                                                                                  SHA1:01C95888D3B737924310B93F7A6B59192B74E52F
                                                                                                  SHA-256:208C8EA7ABDDB3D78BDBD2DF1F7B1D91F19C80716472AB4CEA11A993F4BE0D4E
                                                                                                  SHA-512:B55D47571ABBEBC09AB223482D70157CB5DD100F448FD000C8750171003249010786368DDFFBE42956656E623D292589201034B2D32A41E8EEFC00D917705D41
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........K.6.*.e.*.e.*.eKX.d.*.e.RPe.*.e.RGe.*.eKX.d.*.eKX.d|*.eKX.d.*.eKX.d.*.e.*.e...e..>e.*.e...d.+.e...d.*.e...d.*.e...d.*.e..<e.*.e.*Te.*.e...d.*.eRich.*.e........................PE..L....f...............&.. ...&.............@ ...@.......................... G......!G...@..................................\'.X.....(...............F..(...PD.......$.p.....................$.....@.$.@............@ ..............................text...<, ....... ................. ..`.rdata...c...@ ..d...2 .............@..@.data.........'..n....'.............@....rsrc.........(.......(.............@..@.reloc.......PD.......C.............@..B........................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.pem

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PEM certificate
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5262
                                                                                                  Entropy (8bit):6.05232077920498
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:LrdBs5tNThpCwTWYOHS2zkoGwhav1x6s7xPe47Oq1JmIyztq43ZEDRS4bcrkpk7:Hg5tNTDCdRoothav1xd7Be6Ositq43yY
                                                                                                  MD5:A8B2B3D6C831F120CE624CFF48156558
                                                                                                  SHA1:202DB3BD86F48C2A8779D079716B8CC5363EDECE
                                                                                                  SHA-256:33FE8889070B91C3C2E234DB8494FCC174ECC69CFFF3D0BC4F6A59B39C500484
                                                                                                  SHA-512:3B1FC8910B462EA2E3080418428795CA63075163E1E42A7136FA688AA2E130F5D3088AB27D18395C8C0A4D76BDC5ED95356255B8C29D49116E4743D269C97BF9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:-----BEGIN CERTIFICATE-----..MIIFVDCCAzygAwIBAgIBADANBgkqhkiG9w0BAQsFADAuMQswCQYDVQQGEwJVSzEf..MB0GA1UEAwwWU3BsYXNodG9wIEluYy4gU2VsZiBDQTAeFw0xNTA3MDYwMjQ2NTda..Fw0yNTA3MDMwMjQ2NTdaMC4xCzAJBgNVBAYTAlVLMR8wHQYDVQQDDBZTcGxhc2h0..b3AgSW5jLiBTZWxmIENBMIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEA..wAXrbbT7bxfdfXv4WpeKYQwEj+O5IbELiqJUnjtSL8dhSLjunEnT08eNngGtUbKU..K9UYvokPo4w9dV7ZF2SIVNLLhGINgWfKGjFEOC2HMMxF6/Npjps8UdO3zozZtDET..4InDRAPDAQDuJX2le8sbmwcN6viuMPHQH/zM4VDg86txN/ueO+MHK4PR41dxNU6g..Mi1w4rntp1/alPtJi49CmxkonTzoWZsRz4QJAUJxEFmI4/2C9fKNEdiQUazHIXc1..55qeMTyaLna1ElRl1hpqvH4N7FChuXkG3ncEQRBZr41MCCX1l6PX1MGmbu6CRmEn..dzyu2fKQdnJ2nLzOzNRBuhEv/1Jm0Sij7b0QSberPSw0BqbVOZKY4b93ZRlqrkoD..K8LxS2/DtBvoeHxbF6UV6e4xHOpPDLlOLyfi27LYipTDN3Bt9yxUzcerLMu5KhZG..US8Alv80m+pnnsoSE6C4WN+/iDeRS2K8/BxY1TyFNAYRnC1sVaqwT/0AWHamKmXI..siGuKNMNSOB/pMx+qMFmvdYLMG/FHz6kBghyaqAaSOAcHzU6JJEOmy5PfyJ1VEVT..5ZeHGhwJ6FebFVAbpyTVRslokF6N2BXUuflN8N0Rp/8d5kr8ncHgd4boM16nl+T8..NMjiA0DkFktJHxnIKUEUH0nAIimvRt6+VTGIiXiPZbMCAQO

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2511880
                                                                                                  Entropy (8bit):6.474952796610172
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:NmROzqLfJdQImVbsA+1p5xa1/GW69Qd/o7na6lla5SISrk5kZvjT1kHWWm1:YyqLxeICb9+1pzaH69m/o7na6lla5SIu
                                                                                                  MD5:6AA8728E3CCF6DC77CD5F8BB1606B23C
                                                                                                  SHA1:BD88659CF8411BD21F2D76A1FB7F44522D8E7E2C
                                                                                                  SHA-256:FBA1711F1F31DAA1C39FE49AD1E9984BB2F8C09D7C8B18FA2B1ACFBBF0F450C3
                                                                                                  SHA-512:248DA56FFF36EDF39191CAE03CE2CB35819E860FBFEA11539BEA6A46F23706BB98D2E3037152A19FDED6457D6B1105076A61907C2DC30396814E0446382411C7
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.QtYNQtYNQtYN..ZOJtYN..]OutYN..\O.tYN.._OPtYN..XOxtYNQtXN0wYNW.]ODtYNW.ZOHtYNW.\O.uYN?.POYtYN?..NPtYNQt.NPtYN?.[OPtYNRichQtYN................PE..L....f...............&............gG............@...........................&.....iX&...@.....................................T.......`............,&..(....$......j..p....................k......0j..@............................................text............................... ..`.rdata...-..........................@..@.data........0...\..................@....rsrc...`............r..............@..@.reloc........$.. ....$.............@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSocketCtrl.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                  Category:dropped
                                                                                                  Size (bytes):403976
                                                                                                  Entropy (8bit):7.913397085225153
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:ABn+r/1zHhY39LgwN7krdItd7YtjIRC67P/4HATggyTG:ABa/1zHeKbri0eC6zRggyTG
                                                                                                  MD5:4C534EB38F42BC64F08C33182156D8A1
                                                                                                  SHA1:EEBD8F8C323E50945A273F1C197E91A9BE17BBAF
                                                                                                  SHA-256:7FA2AA9E466E2F3B884D11984E3D68750CBCDDB033F02F8AAC4AEEF1EE02FAA1
                                                                                                  SHA-512:97D5182BB70E21C5C6E2D43AA62FCA5A171AED3D3AC97A623A6FC187590CE3595DDBBF8B82B969BE86EA0FED22C5447819A0F72B1304AEF1560BDFD5F0054E98
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......l...(...(...(...c...%...c......FP..>...c...?....P..)....P..9....P..0....P..f...c...%...(.......FP..n...FP..)...FP..)...(.l.)...FP..)...Rich(...................PE..L....P~f...........!...&............................................................?....@.............................T................................(..l.............................................................$.......................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUACCheck.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):552456
                                                                                                  Entropy (8bit):5.861082788260862
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:kARoNkM3YHA77f8m8end5Xy+1kvI8k9W91iVXuXskIhnclJS:RoNxh8edk+1kv5K+WhnclJS
                                                                                                  MD5:24890653CF368C9517425823DC8D0833
                                                                                                  SHA1:20382E4DA8B3DC11FA149C56CA6340F235E24E20
                                                                                                  SHA-256:8C66B9490BF5E0AD06259D0CE9A3A79818ADE1421F2A0D441B3A2FA16FCCC614
                                                                                                  SHA-512:815D98FABA8B07B34A1561F7FF8851E5119702F79BEC08E70E0A8F5BFCECEF9EAE890B75546E8D910E0F2B025174DB0B127F9D2D6A32BC145A6951C6A40AFAD8
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,..nh.s=h.s=h.s=..p<b.s=..v<.s=n%w<|.s=n%p<}.s=n%v<X.s=..w<~.s=..r<s.s=h.r=..s=.%z<c.s=.%.=i.s=h..=i.s=.%q<i.s=Richh.s=........................PE..L......f...............&.F...........=.......`....@.................................GI....@.....................................P........[...........F...(...`..........p...........................P...@............`...............................text....D.......F.................. ..`.rdata...}...`...~...J..............@..@.data...............................@....rsrc....[.......\..................@..@.reloc.......`.......2..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdate.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2790408
                                                                                                  Entropy (8bit):6.513824440011559
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:Fi5406jawRY386kQXVom4G8Y7Mln4S+GlWXJYsGWwpt0eJy1kHWVXswZeJyP:M4069RY383qVPVZ7MV4S+GlWXJYsGWi8
                                                                                                  MD5:0883F496B5EB0B9CF4CB24BBE3D60160
                                                                                                  SHA1:11EA03EC46E9E2F4B7B8487B2091179629694D10
                                                                                                  SHA-256:E29FCA755C1FBEF55536B872B30C9D00CAFA1C46A5EDCE04393B0C1223EB6589
                                                                                                  SHA-512:93C64F37E1EB2DB9CB3FB74946F30AF94CB6F89F108CF573D76909FAA0FE2C44465815967429B29BBBFB6D4FD272AD0C8355FAB068A6F8503FF9860E219CE136
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d...........&w.....}o....&w....&w.'..&w....&w.......I.............................|.........Rich...........PE..L......f...............&.B...n...............`....@...........................*......f+...@..................................! ...... !..W...........l*..(....(.Xc..PG..p....................G.......F..@............`...............................text...y@.......B.................. ..`.rdata..P....`.......F..............@..@.data...t....p ..f...J .............@....rsrc....W... !..X.... .............@..@.reloc..Xc....(..d....(.............@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdateInstall.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):170504
                                                                                                  Entropy (8bit):6.584358890743955
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:4bZwVL8XodHGBy7R9ayIrkTGmqgxlEahOAPCCI184A94CesE32:NYXRsR2YTGmhRhJFAsEG
                                                                                                  MD5:B68D5F67BD1FB013720F291D70C9D08E
                                                                                                  SHA1:19B9D7E3960B2E929F6B2FB08A4136C13C7BBAB0
                                                                                                  SHA-256:15AEAE1D6E0F9A66C081C786320486CF17FC10F26B6C486C74DF775B07791D58
                                                                                                  SHA-512:3323F2E06673AD436C57D9DD307DDADF5E4479A8EEFE56DBD0403BCDEA2176126DD344B28CC11F7C277DA46588B0866AA1B1AF4E7A0404D68E21E5981846C090
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u.............sf..a.sf..`.sf..E.....c.....b.u....f.....fa.t.u...t..f..t.Richu.................PE..L......f...............&.............C............@..................................M....@..................................Q..P....................r...(......@... ;..p....................;......`:..@............................................text.............................. ..`.rdata..F...........................@..@.data...4....`.......F..............@....rsrc................T..............@..@.reloc..@............Z..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):203272
                                                                                                  Entropy (8bit):6.606805717980334
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:/A7YiJa+hGYsOhS+ixWVg0jbhm4381P7ZL0HelltPVhVsjigKYgQL0HDG07ds8KM:/A7YiJncMh5NA4MVdL0HeFVpQY57ds2
                                                                                                  MD5:E3D168D946A8D8FEBB39521D6F9E8207
                                                                                                  SHA1:EA48A18FFDA6336E8587635142BFC333770D31AE
                                                                                                  SHA-256:811BDC74EAA5935A23D931930F0804D7C234E8595DE81BEC26ADEACFF62BC446
                                                                                                  SHA-512:12BAC78A83BA30AFE4BEE40FAD25331FDF9BEAA8D232A71DCB05407BBFC443AE09739418D5B46D6020F531251BCBB2FB434FF8C564321180616446B7384A3B3B
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........[..:...:...:..$H...:.....:.....:.....:..$H...:..$H.._:..$H...:...:...;......:...{..:...:...:......:..Rich.:..................PE..L......f...............&............&........ ....@..........................0............@.................................D...........X................(..............p..............................@............ ...............................text...0........................... ..`.rdata.. .... ......................@..@.data...x...........................@....rsrc...X...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrl.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                  Category:dropped
                                                                                                  Size (bytes):333320
                                                                                                  Entropy (8bit):7.909775605022876
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:2lc/Jz+v9TViX69NAqxVKhFcuUa/w28bgSl1FcXirkmMDt:wcU9oe61hFPqgSzrkmMDt
                                                                                                  MD5:562D29B934BFB893AF36F03CBA478AE3
                                                                                                  SHA1:5AA2D1A95EE82DADB2EE604E503CEAF3FBFDDD6F
                                                                                                  SHA-256:ADEDDB37D54E44F84BE0F3824A5C2E98EDF831D6E16836C4CDF34FC47DA4BBF3
                                                                                                  SHA-512:0E85A3BC34D44815442DAAECF910AE02216B28891D785C2C85072FB2824E0AC4056A658C76522C4659F5275F975F291C8BC9217856F52EF1DB6778069FCF8A20
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......5...q...q...q.....c...........f...V...c...q...K...t..`......{.....p...wR..p...wR..c...wR..i...wR..$.....f...q...d....R..E....R..p....R..p...q.u.p....R..p...Richq...........................PE..L....d.f...........!...&..................................................................@.............................T.......@........................(.. ...............................................................\1......................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrlEx.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                  Category:dropped
                                                                                                  Size (bytes):337416
                                                                                                  Entropy (8bit):7.910033827099534
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:jlsrxoLbx49G3x2MB7oUR71gg/wl12GSHU2eQHx+0lnPmDfYfG:B0dwUQNTW12GoU2eQR+SPmbkG
                                                                                                  MD5:7A90EC5109E67E431CAF2FD55D41F82F
                                                                                                  SHA1:412F6A3E795502CD39F76FD51B138E06A081F146
                                                                                                  SHA-256:2FA77B33CCCE1B5412A9866ACB63B050F6F94485EF8AEC378BC82D02929A1001
                                                                                                  SHA-512:ACDBE23B0FA784EA5433A223AEA32CF1C86436F7C9F4E715A10B6A891B4D6B8CEAA943C26444B5813AFDB6C9C4DE6F43B81A632D74920373C0D802613DFD2ED0
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........e.g...4...4...4.v.5...4.v.5m..4.v.5...4..4...4...4...4...4...4OZ.5...4.v.5...4..4...4..5...4..5...4..5...4.v.5...4...4...4...5...4...5...4..,4...4..D4...4...5...4Rich...4........PE..L....d.f...........!...&......... ..`....0... ...............................0.......7....@..........................(..X....&..@.... ...................(..$)..............................\.......|........................e......................UPX0..... ..............................UPX1.........0......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2582536
                                                                                                  Entropy (8bit):6.439872347245085
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:udu/wuTcE9m/juNV60UZ5TRo19aOpkSiCMS367JnuB0lSF:tI8cVjuPzUTTRo1MOpkSiCMS3CJnuB0k
                                                                                                  MD5:706ADB78B2036CCF714887D353416330
                                                                                                  SHA1:61235F81DA698DAACA1CC0DAF9E9C99DFF2AA02A
                                                                                                  SHA-256:923B3703B6857B5159EDEC8D752D607937B37BAC4BDFE25DDEEC7DC1A20E294B
                                                                                                  SHA-512:0988B4A5157F4484AC91DE2CA4191E63FED87CC1CA0F591464B9D887E24394420A1AE566552FC587E0042721FB0CCA3178B935CF127DE190F5C77186EB2EBB8C
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K.................................................p.....................X..................a...........Rich...........................PE..L......f...............&............_.............@...........................'.......'...@.................................TY!......p"..............@'..(...p%..V...w..p....................x......0w..@...............4............................text...<........................... ..`.rdata..............................@..@.data.........!..j....!.............@....rsrc........p".......!.............@..@.reloc...V...p%..X....$.............@..B................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264Wrapper.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):300552
                                                                                                  Entropy (8bit):6.695330747460851
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:56NgLS1hsBLUbcyrCYKlW+GKQnyu1CHw0YHI0W5v:YgLGhsBobcyrOu1CHw0gW5v
                                                                                                  MD5:861875D4CD48D76E650270655C6E0B93
                                                                                                  SHA1:02007CB5E10BDD433EC0E754207BA04CB1C1D598
                                                                                                  SHA-256:41B65F25F5A5B9635D28D467C3E423CD533E239A641922326AE41F329A5B6BE5
                                                                                                  SHA-512:1109E26FB73C677492B79F0C1C1F3ADCCF11962A848497046BDE7AE35C20A5FC48F33F415D6D231E3867B279D80A0069347F1365BAC1AC5658F3E3A1ED8E6020
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H....._.._.._..^.._..^.._..^.._.J.^.._.J.^.._.J.^.._.._.._..^.._.._]._bJ.^.._bJ.^.._bJP_.._..8_.._bJ.^.._Rich.._................PE..L......f...........!...&............h...............................................nJ....@..........................;..$...4<..<....p..x............n...(.......!...(..p........................... (..@...............h............................text............................... ..`.rdata..............................@..@.data.... ...P.......:..............@....rsrc...x....p.......F..............@..@.reloc...!......."...L..............@..B................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperEx.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                  Category:dropped
                                                                                                  Size (bytes):115208
                                                                                                  Entropy (8bit):7.877996118531337
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:Ojw9KC9FNiaL9tfuTjyUDJ90sFAmUPDo0hbn+F2LyvwFOs/cYb:b9KC9FNbwl9+D7o+XmIFOh4
                                                                                                  MD5:6B82A354476FA7C56175EE060F08E2C9
                                                                                                  SHA1:D77566D72C6F1C796C2E8087A9BD04920455B138
                                                                                                  SHA-256:754C8D6C7C91B7620A7EE34665C28F0BE67686591E5B49A7E9B8C33BAEF6C37E
                                                                                                  SHA-512:E5241DCF50B4D6003FCF1FE14F8693CDE525CDF020E7CF7557B76AC954102722C7721BDE48DAE08A4524A12E611AF950588ADBEEBC95158901BCA6238CE2FA51
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[...5S..5S..5SDn.S..5SDn.S..5SDn.S..5S..0R..5S..1R..5S..6R..5S..5S..5S...S..5S..4S..5SY.<R..5SY.5R..5SY..S..5S..S..5SY.7R..5SRich..5S................PE..L...w..e...........!................P*.......0...............................@......:g....@.........................<6..(....5.......0...................(..d7.......................................,..............................................UPX0....................................UPX1................................@....rsrc........0......................@......................................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperExx.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                  Category:dropped
                                                                                                  Size (bytes):733704
                                                                                                  Entropy (8bit):7.921389042280339
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:SEjmVTsQGgZp4zjWURE9b9Sh73+axBJIsPqTVzVpW6jg6sQNGh+rIY2eV0Vt3Cz8:SEjmpsdgZwjWUREN9o91kV5pWmNGhM/q
                                                                                                  MD5:C0B530DCB39BFFA1B2A64DCB9DCE67CC
                                                                                                  SHA1:FC80610E9876B750B5C71CDBA679610320C3DF49
                                                                                                  SHA-256:A4103499C3584F3D2274E8D81B1355312D7CCF2CA794C746915ADA79C12F0D7D
                                                                                                  SHA-512:1326AD4B4EE3920E21449A0367E5912605AEAAF5C692A9042FEEBD2E4B789408DE605A7154D2DCD8A038358A98457312403C7AD550B3CDA64ED9D3E81E23459C
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........u...........A.&....A.$.V..A.%....k.......|.....|.....|..........Oa.....lD..........\}....\}....\}(......@....\}....Rich...................PE..L...w..e...........!..............(..3...(...3...............................3.....b.....@...........................3.d.....3.x.....3..................(..x.3.......................................3.............................................UPX0......(.............................UPX1..........(.....................@....rsrc.........3.....................@......................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\STRLOG\splashtop.bl

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3835
                                                                                                  Entropy (8bit):4.764498295481361
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:y7IqsbCST8eInWhT2YB9tds0xNqu72V3VcaM/g7QSEvqcAzOt6zS:y7IuxeeS9VjiMl6e
                                                                                                  MD5:D949C968DFD291B7D69CD9A65A1CBC8A
                                                                                                  SHA1:9FD25344A4E35BE5F6FCC3CBD346D9230820016F
                                                                                                  SHA-256:D166064C6FFADBD505076B633E10D5536739C3E68E4B48F6A396FD8299666E56
                                                                                                  SHA-512:68C26A66AEE424CFEAF9A5BADFA2592DA91C5B1BE65B69C60879255936413215BDA05D5633F69C7AAD2688A53A586BB54E3AC722E2DCE3BFAC034C4C1C4594B4
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.svchost.exe..csrss.exe..SearchFilterHost.exe..SearchProtocolHost.exe..conhost.exe..winlogon.exe..SRServer.exe..SRService.exe..lsass.exe..services.exe..smss.exe..wininit.exe..lsm.exe..SSUService.exe..spoolsv.exe..SRFeature.exe..SearchIndexer.exe..WmiPrvSE.exe..mDNSResponder.exe..AppleMobileDeviceService.exe..nvvsvc.exe..DataProxy.exe..iPodService.exe..audiodg.exe..cmd.exe..spupnp.exe..WLIDSVC.EXE..WLIDSVCM.EXE..dllhost.exe..taskeng.exe..armsvc.exe..rundll32.exe..atieclxx.exe..atiesrxx.exe..ctfmon.exe..SeaPort.exe..nvxdsync.exe..MsMpEng.exe..nvSCPAPISvr.exe..wlanext.exe..LMS.exe..ccsvchst.exe..UNS.exe..mscorsvw.exe..msiexec.exe..iTunesHelper.exe..LSSrvc.exe..btwdins.exe..LogonUI.exe..TrustedInstaller.exe..avgwdsvc.exe..jusched.exe..unsecapp.exe..IAStorDataMgrSvc.exe..PnkBstrA.exe..AVGIDSAgent.exe..GoogleUpdate.exe..AvastSvc.exe..RTHDCPL.exe..sqlwriter.exe..IAANTmon.exe..avgcsrva.exe..mdm.exe..igfxsrvc.exe..Ati2evxx.exe..ZhuDongFangYu.exe..VSSVC.exe..wisptis.exe..hpqWmiEx.exe..avgcsrvx

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x64\SRCredentialProvider.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):326664
                                                                                                  Entropy (8bit):6.273611352763876
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:gpWGtJblMMuWntMAHeVQHe3lPpAyQ4L/8mJEDJnMihRD+ae7/lXCU:tGtJblMMuWntyxOyQ4LkIyxypCU
                                                                                                  MD5:D2A501F07C9F9373F11CC89FB2D49D8C
                                                                                                  SHA1:37EAADAF61D2CBE697F1C454640F9E04F4CD2D16
                                                                                                  SHA-256:A25A7C80A4BD007248306E02FBC10436885C64CC70A40433143BC82C641D3480
                                                                                                  SHA-512:B20727B34287D5877D94963B08F520E586C2A66A39631C768CF2F6ACA31959DFB2711C8043E71DA4FA8A00DF039E886D30B0D7DC2E85FEFC68E99761F3945B54
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..............].......j.......j.......j...............j.......j.......j...............j......Rich....................PE..d......e.........." ................<........................................@............@..........................................p..w....^....... ...........6.......(...0...... ...................................................(............................text...>~.......................... ..`.rdata..G...........................@..@.data....[.......&...f..............@....pdata...6.......8..................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x86\SRCredentialProvider.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):263688
                                                                                                  Entropy (8bit):6.578168733069161
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:rP7UBxcJ1Puvfk+GTVGUtO9EU5dem+b0sInsLwcQRelNXkd6X0ThhYibRYI:DhmE+YQY4/eHw5ew8N0A2Xbh
                                                                                                  MD5:F276DD195D935138FA1EDA9C522CD62C
                                                                                                  SHA1:67508C991FAE8F6A503B7997D96CE4BB7AF559CA
                                                                                                  SHA-256:3E4FF68E9E2E312A9DDCD249F9BC2782103452E64CF6DF2914EF989006DD6EFA
                                                                                                  SHA-512:F3E2C301A7091D04F0D17BCDDC2BB0057366FE7089564966FE2EFD56ABD381190B01672DB6E6C7330E553382D38D7FEFDB644F1DF9F28B85714F52F695D812AE
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l.._(..(..(..../.)..!.,.2..!.:....!.*.3..(..!..!.=.t..!.+.)..!.-.)..(...)..!.(.)..Rich(..................PE..L...%..e...........!................+........................................@............@.............................w....~...........................(......X$...................................O..@............................................text............................... ..`.rdata..W~..........................@..@.data....K...........z..............@....rsrc...............................@..@.reloc...@.......B..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_provider.man

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4448
                                                                                                  Entropy (8bit):3.463053305093135
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:NZ9Y9R9iY+Al8/ky6V9R9iYsrAl8/k5v+sv:0bMAl8j6vbirAl8mv+y
                                                                                                  MD5:20D8473FB148C4ADA5878B313BC776AF
                                                                                                  SHA1:1C88D93AED07AF5753D5CADE1BBA2EC1A69C81A8
                                                                                                  SHA-256:FAFFFA0C014BF46A71E323FC4275A5A9004FF90B474B1B7A30D5728FA81D3568
                                                                                                  SHA-512:5E6AD6B5F040C927685FB4BF4A83149DCDDB22F8A1BD5ECFF5B6E69ECAB80FA7DDAACFA4FA7EB35D9723F4CF364B96D61482FA805F5B6595AEDF064C3C099C2B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.i.n.s.t.r.u.m.e.n.t.a.t.i.o.n.M.a.n.i.f.e.s.t..... . . . .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s."..... . . . .x.m.l.n.s.:.w.i.n.=.".h.t.t.p.:././.m.a.n.i.f.e.s.t.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.w.i.n.d.o.w.s./.e.v.e.n.t.s."..... . . . .x.m.l.n.s.:.x.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.2.0.0.1./.X.M.L.S.c.h.e.m.a.".>..... . .<.i.n.s.t.r.u.m.e.n.t.a.t.i.o.n.>..... . . . .<.e.v.e.n.t.s.>......... . . . . . .<.p.r.o.v.i.d.e.r..... . . . . . . . . . .s.y.m.b.o.l.=.".P.r.o.v.i.d.e.r._.S.p.l.a.s.h.t.o.p.S.t.r.e.a.m.e.r._.S.t.a.t.u.s."..... . . . . . . . . . .n.a.m.e.=.".S.p.l.a.s.h.t.o.p.-.S.p.l.a.s.h.t.o.p. .S.t.r.e.a.m.e.r.-.S.t.a.t.u.s."..... . . . . . . . . . .m.e.s.s.a.g.e.=.".$.(.s.t.r.i.n.g...P.r.o.v.i.d.e.r...S.p.l.a.s.h.t.o.p.S.t.r.e.a.m.e.r._.S.t.a.t.u.s.)."..... . . . . . . . . . .g.u.i.d.=.".{.6.6.

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x64.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):28160
                                                                                                  Entropy (8bit):3.7217591844595956
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:/xr44ok0H+Re/1EPaTHV8GzXlGmYOom+rt12xROVSjfCKm/kIKz0+rIOsJ:/24ok0H+Re/1EPaiI1Y4O6Sv+q
                                                                                                  MD5:29F288F751FBCEA5CD75EA9774882787
                                                                                                  SHA1:5A4C30382C63E29E848B681D39CC213C2198E12E
                                                                                                  SHA-256:711702EB24803788CE601996F90B7EF57EEF1F764F7AAF3A96E2196ED4A9533E
                                                                                                  SHA-512:B7FC0A739B33E79232EF506393CF90297F4D41F165F34B5BE50648D8A1967419E1F0EE369E809D5C142898824E8B5A3784106D33A2D1D72CD811D5352F4BBD60
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E.<...R...R...R.......R...P...R.Rich..R.PE..d....._.........." .........l............................................................`.......................................................... ...h...........................................................................................................rdata..p...........................@..@.rsrc....h... ...j..................@..@......_........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....!...g...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x86.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):28160
                                                                                                  Entropy (8bit):3.7214568392805565
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:xXxr44ok0H+Re/1EPaTHV8GzXlGmYOom+rt12xROVSjfCKm/kIKz0+rIOsJ:xX24ok0H+Re/1EPaiI1Y4O6Sv+q
                                                                                                  MD5:BE32CA6CD3810D278DC07C2D67FA5A44
                                                                                                  SHA1:63C47D24563F3E19BADE1482BA91D57542736C6C
                                                                                                  SHA-256:2F28F5D4952FD4430568AFCCE023C4885B47BF7C705950B252555C7D92EEFB72
                                                                                                  SHA-512:C21FF9E2116F0C469642C47B85E6D36970344F6C929B018DB6BED88FEFB54AA9C82EDDA1F9123F1B493E9046DE2B46C44C62900967752110EA056B54CEB56E85
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E.<...R...R...R.......R...P...R.Rich..R.................PE..L....._...........!.........l............................................................@.......................................... ...h...........................................................................................................rdata..p...........................@..@.rsrc....h... ...j..................@..@......_........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....!...g...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1458184
                                                                                                  Entropy (8bit):6.608368260050606
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:3u1d1TlM6S5+KpPH2+68gJ4dxM3GsFa8cihBUbo0h3yT26:3ub1T2B/+J4jMWsFa8cJbo0h3x6
                                                                                                  MD5:86FB762B6F48E0F579D8E1C20D829E5C
                                                                                                  SHA1:35643C93BAF6F1A0DC2607C2F65D339DD149FE71
                                                                                                  SHA-256:1837087E75DE428C18ACEC7F2EF7576752396A3A1EF15450230734E9EE194B28
                                                                                                  SHA-512:A0A53F0C256DD1ED0FA512E11A4AB936BD829B22E37C422194144CF022192B2C7157A4220BAD2ABF45CA6FF44FA3E954BE57147E57CB869D1E53399F5895FB13
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ..N...N...N...N...N.....N......N......N....~.N......N...O...N....9.N......N......N......N.Rich..N.................PE..L......e............................Ku.......0....@.................................(.....@..............................................................(...........5..............................pb..@............0..............................text............................... ..`.rdata..@....0......................@..@.data... ........j..................@....rsrc................&..............@..@.reloc..F,..........................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\WdfCoInstaller01009.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1721576
                                                                                                  Entropy (8bit):7.978334410477683
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:oU4MsColC6Je/ZgY7OOfcEpiRLH87SyVXGe38uKUj+NFVov1PJLfVKZ8F5mEeZWF:BFCsfZRZA6Xn388avVovfLd+Mo4iEF
                                                                                                  MD5:4DA5DA193E0E4F86F6F8FD43EF25329A
                                                                                                  SHA1:68A44D37FF535A2C454F2440E1429833A1C6D810
                                                                                                  SHA-256:18487B4FF94EDCCC98ED59D9FCA662D4A1331C5F1E14DF8DB3093256DD9F1C3E
                                                                                                  SHA-512:B3D73ED5E45D6F2908B2F3086390DD28C1631E298756CEE9BDF26B185F0B77D1B8C03AD55E0495DBA982C5BED4A03337B130C76F7112F3E19821127D2CF36853
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t.v...%...%...%.m+%...%.m:%...%...% ..%.m-%...%.m=%...%.m,%...%.m7%...%...%...%.m*%...%.m/%...%Rich...%........................PE..d.....[J.........." .........0............................................................@.........................................`................p..l!...`..,....,...............................................................................................text...L........................... ..`.data....J..........................@....pdata..,....`......................@..@.rsrc...l!...p..."..................@..@.reloc...............*..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\hidkmdf.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15072
                                                                                                  Entropy (8bit):5.857603927715577
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:yJaZmN9l0HNbsphoCqpQATeZjMcnYe+PjPGr9ZCApkT1rrZgjlerpLF+vctrie:kaZM0HlGOpQMejxnYPL/p1P6jeL3b
                                                                                                  MD5:3CDAE3B3A3AE968DB4756613EEFF3680
                                                                                                  SHA1:FF474C2D8A83BD5AF0A6B6CA954004D86BCF6FCA
                                                                                                  SHA-256:8DC9051BC452639550EC4F956F1DBBAC2D2A1886868C17743A3E4BE22297E166
                                                                                                  SHA-512:50E01496A3F891AC4BB455092427A4549406EAED44A292D415B8B42DF5FF72D1352EA6FCC66B2A11151AB9AE6590158753CC28E78F2DAC7FEBD5F6B8B4908126
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'N.OF .OF .OF .OF!.JF .F>..JF .F>..LF .F>..KF .F>..NF .F>..NF .F>..NF .RichOF .........................PE..d.....#Q.........."..................a......................................................................................................<a..<....p..x....@..l...................@ ............................................... ..8............................text............................... ..h.rdata....... ......................@..H.data........0......................@....pdata..l....@......................@..HPAGE.........P...................... ..`INIT....*....`...................... ....rsrc...x....p......................@..B................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\sthid.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):21216
                                                                                                  Entropy (8bit):6.105547248727277
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Zfhpq1BKeL/JQyyo0Y0HgWjkRtPzjn4nYPL/p1P6jeL3fq4:hhpq1BK8/JMYChMxXn4umiP
                                                                                                  MD5:A10A6FC3F643F82777345ADDC182799A
                                                                                                  SHA1:015BDFF614CD475C119C9CDC25950E8226930584
                                                                                                  SHA-256:8D09A7643A0095A0077710423E7D8D7134F9197B6F73DA427333790BA3774A61
                                                                                                  SHA-512:5D2D6FDCCB9A99F95467E734AC83C77162D5D4509248A4BFDCE493BDD9D140220416095E0F75DDAB50071850FC0892CED2835336D1C42F4A3AC87F0D66C41ED8
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'F.SF(.SF(.SF(.Z>..PF(.SF).AF(.Z>..VF(.Z>..PF(.Z>..PF(.Z>..RF(.Z>..RF(.Z>..RF(.RichSF(.........PE..d.....#Q.........."..........&..............................................................................................................`...<.......@....`.. ....6...............0...............................................0...............................text............................... ..h.rdata..L....0......................@..H.data........@......................@....pdata.. ....`.......$..............@..HPAGE....x....p.......&.............. ..`INIT.................*.............. ....rsrc...@...........................@..B.reloc..<............4..............@..B................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\WdfCoInstaller01009.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1461992
                                                                                                  Entropy (8bit):7.976326629681077
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:GjG90oN2lj11mk/22yYzGrarZRm4X5Uh6rVh5LdfBwOyCSQM1fFhSWRA2+:iGtN2h1120R7m4XShYVxfBwrC21fXSz
                                                                                                  MD5:A9970042BE512C7981B36E689C5F3F9F
                                                                                                  SHA1:B0BA0DE22ADE0EE5324EAA82E179F41D2C67B63E
                                                                                                  SHA-256:7A6BF1F950684381205C717A51AF2D9C81B203CB1F3DB0006A4602E2DF675C77
                                                                                                  SHA-512:8377049F0AAEF7FFCB86D40E22CE8AA16E24CAD78DA1FB9B24EDFBC7561E3D4FD220D19414FA06964692C54E5CBC47EC87B1F3E2E63440C6986CB985A65CE27D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}.B...B...B...Kd1.E...B.......Kd7.Q...Kd .M...Kd6.C...Kd'.....e...C...Kd0.C...Kd5.C...RichB...........PE..L.....[J...........!.........N......C................................................S....@..........................................P...<...........6..................................................@............................................text............................... ..`.data....G..........................@....rsrc....<...P...>..................@..@.reloc...............*..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\hidkmdf.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13024
                                                                                                  Entropy (8bit):5.821753253165571
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:hjJQAzeZjMpnYe+PjPGr9ZCApkT1rrZgjlerpLF+vctrMYPT:RJQUejknYPL/p1P6jeL32Y7
                                                                                                  MD5:C57099F9A63D144A9CDC103D2C42A6AC
                                                                                                  SHA1:F2AA1DBAC145BDA82DEDB69CA969EF4D0831C3DD
                                                                                                  SHA-256:D8390287A8865769BB50B0B83E7E7FC56B055BFC48D3513146CDB8D3954338BE
                                                                                                  SHA-512:18AB1AB0D233AEAAB786A28AEF766AAD9C683859628AEE94527C426DE7F63171345CAB4ECF96C54F19C93DF5E637A4D845C2487049DE161E19229F6253C775E4
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................................................Rich............................PE..L.....#Q.............................P....... ......................................r........................................P..<....`..x....................p..8... ............................................... .. ............................text............................... ..h.rdata....... ......................@..H.data........0......................@...PAGE....#....@...................... ..`INIT.........P...................... ....rsrc...x....`......................@..B.reloc..j....p......................@..B................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\install_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):224
                                                                                                  Entropy (8bit):4.711399671949434
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajs/dCiIc+JIIbdCiIevKIIlfRcGIIbdELVKT7:kidCicjdCiMt/jdx7
                                                                                                  MD5:001B12FA9D827E2A53675F4FFC5D68D8
                                                                                                  SHA1:0D1221A35F3FEF1B8B0B38E835BFB8F35357D3AB
                                                                                                  SHA-256:2C6E538B58C32DFFC7E3ED85175A2F5D08C5AA3FA68EE05207DB6A015D778DD1
                                                                                                  SHA-512:E85BAD69B1F36D36B96A03713B885FDDC485E7DA5A5FA4B07F5AFD7264BC9989F4AEA14822588F3921EFF4C6C5E7D2737CD382866A089DA8F4A19CAF69BC3FF3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..utils\devcon.exe /r remove @HID\sthid* >> inst.log..utils\devcon.exe /r remove HID\sthid >> inst.log..utils\DIFxCmd.exe /u sthid.inf >> inst.log..utils\devcon.exe install sthid.inf HID\sthid >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\install_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):232
                                                                                                  Entropy (8bit):4.799817305367961
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajs/dRLPIc+JIIbdRLPIevKIIlBRcGIIbdRL6VKT7:kiddcjddMr/jdD7
                                                                                                  MD5:4D969376976863ABA27CCF817EB97219
                                                                                                  SHA1:F65EA3234AFC4741F48AF51EE83280520969BF5A
                                                                                                  SHA-256:C62D9158C0807D0EE3225E13BAD307199AF61DF1659ADCA91E1361865C325EEE
                                                                                                  SHA-512:88F38ED5AD7FECDE209782D1111C142BE63AE54D73A71E737BEBC0FB1498D7988AC9EC0173DEF5F6E0A17192A5F802145E69BFDA606B253AFBFE23B5058A7413
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..utils\devcon64.exe /r remove @HID\sthid* >> inst.log..utils\devcon64.exe /r remove HID\sthid >> inst.log..utils\DIFxCmd64.exe /u sthid.inf >> inst.log..utils\devcon64.exe install sthid.inf HID\sthid >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11968
                                                                                                  Entropy (8bit):7.0656302139179195
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:5eMsGsZrVjbd/22z0yK2zFWQFyGZh4qnajA3vKkCTglckNVa:HsGsZr5pRpFRj0lo3CXkNk
                                                                                                  MD5:50BD9CFE7F724B3001FC833FF3FC284D
                                                                                                  SHA1:5A2D4C52C87170AFAE9F3F4DC75A81A046FF3EEB
                                                                                                  SHA-256:C7AE67C9A0669F2798ECA4452552F8F4919E2FB6D117ED290AC3F64966ECEEE0
                                                                                                  SHA-512:52CC8930BAC7CBE7AF9C2B64D8A3BCF874D76DDFA21691B3B47E4B5BE938BF42D1D0BF0B6BFA3EEEC61D81328B41FB608AC8DA5F278BF06C1AB294B0055FB3FF
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0.....*.H..........0......1.0...`.H.e......0..X..+.....7.....I0..E0...+.....7......C....G.|J].q.z..130223030803Z0...+.....7.....0...0.....c.....I..x.....c...1..0...+.....7...1...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...2...0R..+.....7...1D0B...F.i.l.e.......0w.d.f.c.o.i.n.s.t.a.l.l.e.r.0.1.0.0.9...d.l.l...0.... . q&H.Hv4;.s....N....uB^...@_.%1..0...+.....7...1...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...2...0R..+.....7...1D0B...F.i.l.e.......0w.d.f.c.o.i.n.s.t.a.l.l.e.r.0.1.0.0.9...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... . q&H.Hv4;.s....N....uB^...@_.%0.....o..5....,.SV..\....1~0...+.....7...1...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...2...06..+.....7...1(0&...F.i.l.e........s.t.h.i.d...i.n.f...0.... (..~......&vHk_..4U..:.Tu="|:H.1..0...+.....7...1...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...2...06..+.....7...1(0&...F.i.l.e........s.t.h.i.d...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... (..~......&

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4350
                                                                                                  Entropy (8bit):5.269640657392187
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:BmLnkrr4fzkQCmlCDHCMmDtu6KgbNHYFMDO:BmLny0fzkklCmBtu4NHBDO
                                                                                                  MD5:6580EDB5B8713F3BFD3DF983758A4EA3
                                                                                                  SHA1:1E6FC7E435A3C3E20E2CFF5356DED95CF0C7D0EB
                                                                                                  SHA-256:815FBD6C3BFAE5EA77ED77480FAAC1AFAE946D4BF109B95480C60030A83AE1B1
                                                                                                  SHA-512:EA332A77DBDCC2184B2154EF496DAE4C663075447EC4ACF61E83A5AAACCF702E2F0E0F6D7F91E4499993A9B9D7C3A9A21C495EEAD606E2F5EB5F4DF272A86928
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:[Version]..Signature="$CHICAGO$"..Class=HIDClass..ClassGuid={745a17a0-74d3-11d0-b6fe-00a0c90f57da}..Provider=%splashtop%..DriverVer=02/18/2013,1.0.0.5..CatalogFile=sthid.cat....[SourceDisksFiles]..sthid.sys = 99..hidkmdf.sys = 99....[SourceDisksNames]..99 = %DISK_NAME%,,,""....[SourceDisksNames.AMD64]..99 = %DISK_NAME%,,,\64bits....[DestinationDirs]..CopyFunctionDriver = 12 ....[Manufacturer]..%splashtop%=Vendor, NTx86, NTx86.6.1, NTAMD64, NTAMD64.6.1....; For XP and later..[Vendor.NTx86]..%splashtop.DeviceDesc% = sthid.Inst, HID\StHid....[Vendor.NTAMD64]..%splashtop.DeviceDesc% = sthid.Inst, HID\StHid....; For Win7 and later so that we can use inbox HID-KMDF mapper..[Vendor.NTx86.6.1]..%splashtop.DeviceDesc% = sthid.Inst.Win7, HID\StHid....[Vendor.NTAMD64.6.1]..%splashtop.DeviceDesc% = sthid.Inst.Win7, HID\StHid....;===============================================================..; sthid for XP thru Vista..;===========================================================

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):18144
                                                                                                  Entropy (8bit):6.199619066707982
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:D+CpJmsGTJgbzPvaen0XUqcZzpV1DzjBnYPL/p1P6jeL3CX:B85e4+zpbXBumPX
                                                                                                  MD5:5904635A7888083EBB86C3A1218CB59B
                                                                                                  SHA1:69540333726CEF1EABD5B75D56822B36F9065840
                                                                                                  SHA-256:00648146272AF74EF5B1E74E83F58280FA1CC403621941AB3CB4E731756289F7
                                                                                                  SHA-512:56B936EFBD05D0906577754334D9B1A562AE0AD25574E22149C6BD97950FD73809A4EF1542D4D7CAA4E5B81DF53975FDB1D57381232F9B8D17A463F1E1A81859
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q...Q...Q...X...R...Q...D...X...V...X...S...X...P...X...P...RichQ...........PE..L.....#Q............................v........ ..............................................................................<P..P....`..@............*.......p..t...` ............................................... ..`............................text... ........................... ..h.rdata....... ......................@..H.data...`....0......................@...PAGE....t....@...................... ..`INIT.........P...................... ....rsrc...@....`....... ..............@..B.reloc.......p.......&..............@..B........................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\uninstall_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):164
                                                                                                  Entropy (8bit):4.75247427731045
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:jTDVBF+jVy/d/KiIKTAFshseJDo7EIbd/KiIKTA8vXto7EIl2YR41NDoC:/Ajs/dCiIc+JIIbdCiIevKIIlfRcGC
                                                                                                  MD5:6E5A084690CBEDCB4F74C1C365F2048E
                                                                                                  SHA1:379AF77A9066EE1EFEA1C17A21CF1C0AD7BF17FD
                                                                                                  SHA-256:F67BFB651037E84F5AE6965B5511FA1B9BD2C819B034A8284462AF01C0E0148F
                                                                                                  SHA-512:1ED233EF2BB513DCB9F3610AC36BBEB07259EAC7BA6F96E596B111C137F6B1BB35E1200ECAB3914925C6CCB80CD3A74ACEB40FA3775300151D34C7AB9C47A84F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..utils\devcon.exe /r remove @HID\sthid* >> inst.log..utils\devcon.exe /r remove HID\sthid >> inst.log..utils\DIFxCmd.exe /u sthid.inf >> inst.log

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\uninstall_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):172
                                                                                                  Entropy (8bit):4.845091480099467
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:jTDVBF+jVy/dRLX/IKTAFshseJDo7EIbdRLX/IKTA8vXto7EIl3xR41NDo7n:/Ajs/dRLPIc+JIIbdRLPIevKIIlBRcG7
                                                                                                  MD5:C949FE57CE36D8C5FF18AD66A5C83138
                                                                                                  SHA1:BE891CE4AF8434FB3A439F7F0CB9EC3E17BDB99A
                                                                                                  SHA-256:8A5E292037FFC57F78E8C8D8AE945C319A41FABEB2112099BA3FFD9D08D4C1AA
                                                                                                  SHA-512:5F22FB7C586852EF5EDB8A28250B4BAA2194FE7599E1EF0733554E512ADCC7326D625F67CACD21C06A3B9A8B43AAF7B8E23D1C529FCC1B36D3E983AF5384FC4B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..utils\devcon64.exe /r remove @HID\sthid* >> inst.log..utils\devcon64.exe /r remove HID\sthid >> inst.log..utils\DIFxCmd64.exe /u sthid.inf >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):9728
                                                                                                  Entropy (8bit):4.7653420469834185
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:F+0YcUgZN/zSbTyB9Bs+VC+k5JEdVMNuE:F+oUgZN/zSbTysOC+k5MVs
                                                                                                  MD5:1EF7574BC4D8B6034935D99AD884F15B
                                                                                                  SHA1:110709AB33F893737F4B0567F9495AC60C37667C
                                                                                                  SHA-256:0814AAD232C96A4661081E570CF1D9C5F09A8572CFD8E9B5D3EAD0FA0F5CA271
                                                                                                  SHA-512:947C306A3A1EEC7FCE29EAA9B8D4B5E00FD0918FE9D7A25E262D621FB3EE829D5F4829949E766A660E990D1AC14F87E13E5DBD5F7C8252AE9B2DC82E2762FB73
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jp.....V...V...V.ivV...V.igV...V.iaV...V...V&..V.iqV...V.icV...VRich...V........PE..L....zZP.............................#.......0...............................P............@...... ..........................d(..P............................@..l.......................................@............................................text............................... ..`.data...x....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10752
                                                                                                  Entropy (8bit):4.547294400796419
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:yg/LSSz/NZS+cI818WJ6TPPeqj6wnzX/bHz3coD:yg/LSSz/NZSBITOg6+D/X
                                                                                                  MD5:F512536173E386121B3EBD22AAC41A4E
                                                                                                  SHA1:74AE133215345BEAEBB7A95F969F34A40DDA922A
                                                                                                  SHA-256:A993872AD05F33CB49543C00DFCA036B32957D2BD09AAA9DAFE33B934B7A3E4A
                                                                                                  SHA-512:1EFA432EF2D61A6F7E7FC3606C5C982F1B95EABC4912EA622D533D540DDCA1A340F8A5F4652AF62A9EFC112CA82D4334E74DECF6DDBC88B0BD191060C08A63B9
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................................................Rich....................PE..d....vZP.........."...... ..........(%.......................................`.......`....@.......... ......................................4+..P............@...............P......p...................................................8............................text............ .................. ..`.data........0.......$..............@....pdata.......@.......&..............@..@.reloc..8....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\StHidNotSupport.reg

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows Registry little-endian text (Win2K or above)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):288
                                                                                                  Entropy (8bit):3.654691319611147
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:Qyk+SkWCiiCRroZ6IJlUAG+DZeMV4GGMVQIwchhyR12qv:Qy5hVZteAxDZBuGp/hUp
                                                                                                  MD5:AFB11B8A638A36856B635F9805BEC627
                                                                                                  SHA1:29E88479691D922698D1DAEC3F06EFD438CB90F1
                                                                                                  SHA-256:908EF8C0EEE73EFFAE7CA6AAEF29387302B1D69AEBE5EA587DEE7F1589F418D6
                                                                                                  SHA-512:1C929F635DF273BF7843A433C461761374E3CE8B2A41C479E2AA9B6A27F4CEF5CE78BAE8902EE99673E33E9E165333A1A4C09D8503F259809F282E6B4A15EBA9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:..W.i.n.d.o.w.s. .R.e.g.i.s.t.r.y. .E.d.i.t.o.r. .V.e.r.s.i.o.n. .5...0.0.........[.H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.\.S.O.F.T.W.A.R.E.\.S.p.l.a.s.h.t.o.p. .I.n.c...\.S.p.l.a.s.h.t.o.p. .R.e.m.o.t.e. .S.e.r.v.e.r.].....".S.t.H.i.d.S.u.p.p.o.r.t.".=.d.w.o.r.d.:.0.0.0.0.0.0.0.0.........

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\StHidSupport.reg

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows Registry little-endian text (Win2K or above)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):288
                                                                                                  Entropy (8bit):3.6709758888329973
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:Qyk+SkWCiiCRroZ6IJlUAG+DZeMV4GGMVQIwchhyR12q8:Qy5hVZteAxDZBuGp/hU2
                                                                                                  MD5:4F4EC6847BC91FCFAC8BFE7840649CCE
                                                                                                  SHA1:642FB6860473391D28E1DC407A81B3829D048AFC
                                                                                                  SHA-256:CC4837A65AE43EDF3AA3FD2C77912A881694C43EE203A127CE27641455AC7AD3
                                                                                                  SHA-512:C896A60395237BED708C79CDBFF2FE9685E8B42A140EF96C2352559128B7700DFF8CA7267261A9EB5143583F296D0498C811E092516408B5500CC75DA8409C44
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:..W.i.n.d.o.w.s. .R.e.g.i.s.t.r.y. .E.d.i.t.o.r. .V.e.r.s.i.o.n. .5...0.0.........[.H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.\.S.O.F.T.W.A.R.E.\.S.p.l.a.s.h.t.o.p. .I.n.c...\.S.p.l.a.s.h.t.o.p. .R.e.m.o.t.e. .S.e.r.v.e.r.].....".S.t.H.i.d.S.u.p.p.o.r.t.".=.d.w.o.r.d.:.0.0.0.0.0.0.0.1.........

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):77824
                                                                                                  Entropy (8bit):4.995224286140262
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:3zrhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkA:3+KY04RMmSCYmBiF4O7WT
                                                                                                  MD5:B40FE65431B18A52E6452279B88954AF
                                                                                                  SHA1:C25DE80F00014E129FF290BF84DDF25A23FDFC30
                                                                                                  SHA-256:800E396BE60133B5AB7881872A73936E24CBEBD7A7953CEE1479F077FFCF745E
                                                                                                  SHA-512:E58CF187FD71E6F1F5CF7EAC347A2682E77BC9A88A64E79A59E1A480CAC20B46AD8D0F947DD2CB2840A2E0BB6D3C754F8F26FCF2D55B550EEA4F5D7E57A4D91D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P............@...... ..........................lm..........p....................@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):81920
                                                                                                  Entropy (8bit):4.977706172799676
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
                                                                                                  MD5:3904D0698962E09DA946046020CBCB17
                                                                                                  SHA1:EDAE098E7E8452CA6C125CF6362DDA3F4D78F0AE
                                                                                                  SHA-256:A51E25ACC489948B31B1384E1DC29518D19B421D6BC0CED90587128899275289
                                                                                                  SHA-512:C24AB680981D8D6DB042B52B7B5C5E92078DF83650CAD798874FC09CE8C8A25462E1B69340083F4BCAD20D67068668ABCFA8097E549CFA5AD4F1EE6A235D6EEA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......|.....@.......... ......................................X}..........p.......T............`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\WBAppVidRec.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):207368
                                                                                                  Entropy (8bit):6.378808548088601
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:MGvbxQU5LtKgqNkNG7MJWl8k0XbTqShbC4bNz3T0pqKJ:FLsglJNh1bNz3T0p1J
                                                                                                  MD5:A105E10AB81079B7700356131D2D0161
                                                                                                  SHA1:3954BF9B1A169D1BD93CA36181DB074786442A73
                                                                                                  SHA-256:70D0E42A6A3BCC049EDD3EA5470005F580CFF6A2253699A9F437F04C1EBE349F
                                                                                                  SHA-512:B5682189597DCD5E3843D640DA3230711EA33FBD907EF1D79D7E3B3985BEA6AEA48BF5EF4FCE93D89459B00EBBDD428CC049D950602F4027823DDBBEDE2A89C7
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......E.Zj..49..49..49..78..49..18..49&LI9..49..49$.49..k9..49..9..49..08..49..78..49..181.49..08..49..58..49..59..49o.=8..49o..9..49...9..49o.68..49Rich..49........................PE..L......f...............&.....t....................@..........................@.......a....@..........................................P..p................(... ..P.......p...............................@............................................text............................... ..`.rdata...{.......|..................@..@.data...P....0......................@....rsrc...p....P.......$..............@..@.reloc..P.... ......................@..B........................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\amf-vcedem-win32.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):198608
                                                                                                  Entropy (8bit):6.465406905232138
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:mNvlfI7fn3+ksrtRYs5BZdHEsTznNZQtiF22W9bKReKn:+fMnuhrrYszTjTQtiF22WKl
                                                                                                  MD5:B51CB7BD99774F42D4FCD81522E159DA
                                                                                                  SHA1:815646C93E09F0DB23951F3D8CD7319240CDBD43
                                                                                                  SHA-256:55C8BEEBC29238A691AF1FDF44D922BDAC9B47034956311A9D467374049462C2
                                                                                                  SHA-512:3375489BC03A442775FB02C5AB1D264FF2A972A805179B9F860D1FF26F09E529DCF7D03EA18CF3D56FC1DD429423C344CBFC4B89F20158D84896AA257240796A
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........f.............+......(......-......).......`...p_....>......?.5....?.,....?./....?.*....Rich...........PE..L......R...........!......... ......!........................................0......m8....@.........................pa..o9..8R..P................................"......8...............................@...............h............................text...F........................... ..`.rdata.............................@..@.data....8.......4..................@....rsrc...............................@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\avutil-55.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):561584
                                                                                                  Entropy (8bit):6.5335413043485335
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:n+Uac7b2syTCmCZ9z7I6KxOYDkHlTiO+k86hiCivi:+UacGbC7bYgHlTi6eo
                                                                                                  MD5:A9A9D31764B50858A01B1FB228406F06
                                                                                                  SHA1:7A313C46F049287045992F54F9D6EDA9DB568EF8
                                                                                                  SHA-256:C0BABD7670124BB298D3BA6A8EE5AE33AD1030C08A18D8B8861F5D83003EB645
                                                                                                  SHA-512:164D5497AA91A5B4742A291F589400BC0B189AF946615A2F04E6CFD1ED598A542F7521E4DD79AAB99414846A3C391255309F911C247EF446A0483D9FAB6EFDFC
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................h......._(`........................................V....V......V......Rich....................PE..L...9..X.........."!.....X...h......-T.......p......................................}/....@.............................`6...D..P....................z..................................................@............p...............................text....W.......X.................. ..`.rdata.......p.......\..............@..@.data...TT...P.......<..............@....gfids...............H..............@..@.reloc...........0...J..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\dbghelp.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1077592
                                                                                                  Entropy (8bit):6.435239338734592
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:n7PeeMxAg8KA6EhyC/H488sCGF8MBo9Bi8sROlu4VWKl6sEPdf8/2RYv:cxNEhyC/H488sLqMDIlu4Nl6suK2Re
                                                                                                  MD5:EEDA10135EDE6EDB5C85DF3BD878E557
                                                                                                  SHA1:8A1059DFD641269945E7A2710B684881BB63E8D2
                                                                                                  SHA-256:4B890DE3708716D81C1C719B498734339D417E8FFC4955D81483D1EBC0F84697
                                                                                                  SHA-512:A56BFC73537E36EFBA8E09FFD0B2F6BFC56BC4CB4FE90B52858C7AFD5D67DB23CCBA51C8097BEFE4ECB5082BA66C2B2612E2975EF3448252C48B97F41D12D591
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^1...P...P...P..!z=..P..!z<..P.......P...P...P.......P.......P......!P......qP..=...<P.......P.......P..Rich.P..........................PE..L...8d#I...........!.....>..........a........P...........................................@..........................6..c....)..<.... ...............V..X....0..........................................@....................)..`....................text...s<.......>.................. ..`.data...d....P...H...B..............@....rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\fips.cnf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):592
                                                                                                  Entropy (8bit):5.220610311013542
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:oOtKAD4cL4jVpfWBzX2TShiucyfQ3W+/07T1raW1ijTofkVge1O0lgxErqM6n:ocKVg30ucSw07TNa97VgQ6erJ6
                                                                                                  MD5:E077993E994D28BBC7502681280C5551
                                                                                                  SHA1:9C3B360F9E81CCF8C8B56BE25E4CE9D67D1F61B4
                                                                                                  SHA-256:B8D539255FB1EA42EE3B06F0E314B037E35701E2B258272889D866DD3419526B
                                                                                                  SHA-512:B2FED3539BD94999F9F9A2CFEBAC6A3632212C10F3D97A5129E444FC548D1685877D0810790B71D342A4EF9080D1EFC73BF7A9493B5CCBD93232231EE2251ABE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:config_diagnostics = 1..openssl_conf = openssl_init....[openssl_init]..providers = provider_sect....[provider_sect]..fips = fips_sect..base = base_sect....[fips_sect]..activate = 1..install-version = 1..conditional-errors = 1..security-checks = 1..module-mac = 73:FF:87:A3:02:5E:E0:EE:AC:F3:E0:B1:9C:93:CB:FD:3D:05:93:39:98:A8:41:A4:EA:76:82:17:3B:38:E8:86..install-mac = 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11..install-status = INSTALL_SELF_TEST_KATS_RUN....[base_sect]..activate = 1....[algorithm_sect]..default_properties = fips=yes

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\fips.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                  Category:dropped
                                                                                                  Size (bytes):697352
                                                                                                  Entropy (8bit):7.893951271183897
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:OB44g9qIIyg5RJbw/L5zQZVaOwZdTGJ5zk1m5GFsXvHOg9wlU7:OB44lIIygZb8L5zQyXZRdi2apwlU7
                                                                                                  MD5:68D8D459EE6A5027FFE35302B21D66FA
                                                                                                  SHA1:91299E1FF75B293A18105FBDFCB2CDE92A6C8507
                                                                                                  SHA-256:0EF5739FCC3850411E1DB6AF2E194E25C7E473BB950A387A7C851FE02660B4E8
                                                                                                  SHA-512:C032E6C057DA58374FF51B50B2146E4B27EB6A18A452668EB2C78E3F4E729399F303873A2DC40F5910826A4F23146DFB851B62DF3D5948A9039EC6ED23E53B32
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........3...`...`...`..a...`..a...`..a...`...a...`...a...`...a...`..a...`...`..`...`...`...a...`...a...`..j`...`...a...`Rich...`........................PE..L...K..e...........!...&.....................0...............................@....... ....@..........................4..P....3.......0...............|...(...4......................................................................................UPX0....................................UPX1.............r..................@....rsrc........0.......v..............@......................................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\legacy.cnf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):168
                                                                                                  Entropy (8bit):4.40567624896974
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:ekfDaZOtK1FA1Jn4R7mvLvn4RYVXKCw/AFLr+TmNfOmZyJn:xiOtKADn4NmvDn42oCQG3+TJn
                                                                                                  MD5:A43B7D72B482D48804B377D8832C2693
                                                                                                  SHA1:B1598EFDA8E9863F520ABEF9AAA942C313C002FD
                                                                                                  SHA-256:9ACDE3809E2C02FE5D6C59153AEFFFE6628996EC5CFB7C2385865DCD1EC8BE7E
                                                                                                  SHA-512:F0777A8F79E70F8A12F531C3E77F5241E9ED46ACC6A1CBF06FF7A29D91EE281E4CD2A9C1832642992FE74D33B052670F85439E5925FDB7C44DE60014E53712DA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:config_diagnostics = 1..openssl_conf = openssl_init....[openssl_init]..providers = provider_sect....[provider_sect]..legacy = legacy_sect....[legacy_sect]..activate = 1

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\legacy.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                  Category:dropped
                                                                                                  Size (bytes):160776
                                                                                                  Entropy (8bit):7.897311739545073
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:M2uLSdBwPPvzj+2a7wQptIkcIWqmHT+BBI/gM6Z+a:Xum0PSwQptIXIWqyH4MO
                                                                                                  MD5:CF52DBEFBE8BC2DCD493CDBF050048E1
                                                                                                  SHA1:AED132B049C77FD77645D07B443E1B4E96CB5E51
                                                                                                  SHA-256:8080E398EDC43E652C0A104F62AD3C865E9BDC75C2E3936870DEAF43FEDBC3A4
                                                                                                  SHA-512:75133444A893002B9933EB3A44B66CD862FEDC9C05579B188EB250BBC3CC00C61533FB3AA58A1D9B89B45F83CFF8A3B02CB0FB605B299E0E7BACE13B99020207
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,..h..h..h..#...b..#......#...|..#...j..nN..w..nN..x..nN..|...N..k..h.....h..i...N..y...N..i...NU.i...N..i..Richh..................PE..L...J..e...........!...&.P.......p..P................................................Q....@.........................l...P............................L...(..........................................<...............................................UPX0.....p..............................UPX1.....P.......B..................@....rsrc................F..............@......................................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcelt-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):106496
                                                                                                  Entropy (8bit):6.320347627393314
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:gdvQnJ9Cy5G4XmkRCXZ5YPPAq4SjIZUKzFrRjbuPp9ABU:gdvby0lZ5YPPAq4SjIZUKLjbuPTgU
                                                                                                  MD5:D858121C47064F3DD7DDA829D1E01620
                                                                                                  SHA1:5F46AFAD5EEF3CA6E06D6D9DD660BA21A1CAD711
                                                                                                  SHA-256:C4324843F73B573D9D569012E37D17A34E17D0DBA55CB77993531A42667994B5
                                                                                                  SHA-512:C807D41739FA6519F0C3662C47BDD58860F87068177A9024C0E6C98FE9A27E2C73A57F81909AFD9A7756F3D54C88AC8007EE37E9B3FA5F0A04E3F8A9BEC74D20
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......K.>..S......#.........:...............0.....m.................................a........ ......................P..o....`.......................w...(...p.......................................................................................text...............................`.P`.data........0......................@.`..bss....4....@........................0..edata..o....P.......*..............@.0@.idata.......`.......6..............@.0..reloc.......p.......:..............@.0B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcrypto-3.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1326600
                                                                                                  Entropy (8bit):7.8708551072063875
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:U1RJO1z1sYP0y5EU9dt6VpjccWjqV9JSJkj+KuZzwBMwNG7RHHsi4+uC5:UtO11sYF5LGVyfqV/TyDZzsMEQw+uC5
                                                                                                  MD5:72D867E8C7A84374AA72BF7FECA4334E
                                                                                                  SHA1:BBE4C42BEB19A1F23BFBCFC5A67164D5EA29784E
                                                                                                  SHA-256:17D29B81FAEA714B5A93008711D92D1329B22244A2E9F56736064CAA4FD3CD84
                                                                                                  SHA-512:B523DF6FFE4A51180CDF2BDA761B01A521391A6B24E081309C33C91835C19BE96015B932D527822F5837802A979A3C48F5CC111892C47C082E8BCB8F2115AC3F
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V...8P..8P..8P..;Q..8P..=Q..8P..<Q..8P.S=Q..8P.S<Q..8P.S;Q..8P..9P!.8P..9Q..8P..8P..8P.S<QV.8P.S8Q..8P.S.P..8P.S:Q..8PRich..8P................PE..L...%..e...........!...&.....0....(...:.. (...:..............................@<......v....@...........................:..!....:.@.....:..................(...6<.....................................t.:.............................................UPX0......(.............................UPX1......... (.....................@....rsrc....0....:..(..................@..............................................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcurl.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                  Category:dropped
                                                                                                  Size (bytes):374280
                                                                                                  Entropy (8bit):7.91728824512086
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:WYe2D4vE6mAQmh9ophnxdm2U6jpn99hURD+2XIG/jNsfowDmbpNsD5PK07OxI4ME:1DqqAQnvnxdmFopn98hR/jGnDOKSsNTY
                                                                                                  MD5:278D7F9C9A7526F35E1774CCA0059C36
                                                                                                  SHA1:423F1EBD3CBD52046A16538D6BAA17076610CB2F
                                                                                                  SHA-256:12177DAE5E123526E96023A48752AE0CB47E9F6EEAFC20960F5A95CA6052D1B8
                                                                                                  SHA-512:75F8C4856FB04B2D5E491F32584F0AAEFA0D42356E12320CBCB67DF48E59C7F644512C2C5146FD7791C2CCB770FD709A8D8E4C72EAFB74C39E1336ACCB49A044
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......g7..#V.[#V.[#V.[h..Z.V.[h..Z.V.[h..Z7V.[6)2[%V.[6).Z3V.[6).Z;V.[6).Z.V.[h..Z'V.[...Z&V.[#V.[.W.[...Z.V.[...Z"V.[..0["V.[#VX["V.[...Z"V.[Rich#V.[................PE..L....)he...........!...%..... .......c.......p......................................+\....@..........................v.......u.......p...................(...........................................e..............................................UPX0....................................UPX1.............x..................@....rsrc.... ...p.......|..............@..............................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libmp4v2.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):623056
                                                                                                  Entropy (8bit):6.452703221703766
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:vcqfl06LEuieb/drb93hVzyp5dl+lyyMKhoRZhD9ZKck9Qh/5Ffdw0CnbHu9gJJt:kqdFzbFrbUp5dl+lyyMKhoRZhD9ZKckB
                                                                                                  MD5:B03D660319962C265C8A5E6F89CD019D
                                                                                                  SHA1:289BA87563ABA33D9385C04834745AF4F5BE1882
                                                                                                  SHA-256:66ECEBD3D11557D42AE33B64E522F371D6D27651B8B7350BEF41F691FAB1465E
                                                                                                  SHA-512:F5376FE1195A14DCC4F1265F61088EF0452C72DCF17F0B7AA4ED4DB903347C60C9557E556DEAF0244DB0A5F3EA8B7065D7D66BD1638D1EC566EE26110854D5E1
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......97..}V..}V..}V.......V..t...tV..t...mV..t...zV..}V...V..t....V..t...|V..c...|V..t...|V..Rich}V..........PE..L......Q...........!.....b..........+*..............................................?.....@.............................Uh......P....................j..............................................p...@............................................text...~a.......b.................. ..`.rdata...............f..............@..@.data...$.... ......................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libssl-3.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                  Category:dropped
                                                                                                  Size (bytes):341512
                                                                                                  Entropy (8bit):7.896157399444813
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:M9tl9yREhb42jcvlftvY5RL2vu2K2KTYJ1EbH18sggSNOCZ174h5o1YL6yTlNhRY:M9tcu4Jlft1223K61EjNSNOWih5y38lu
                                                                                                  MD5:99A6A9656DA926AF8AA648D50B47DCFB
                                                                                                  SHA1:81DB96003BD8F63250ABC7E59FB35E0227D3F28A
                                                                                                  SHA-256:FDF1F9D0AF4FF8E5CBD4387D6849327E91F0EEDD1BEFE58D7DD8B6EC40E90A98
                                                                                                  SHA-512:16E850FDABF76A11ED4176E0FD57DAFB64FAF9551EA220D003C5A86AFF8C39AB40D66F7AC7FCC6EF71CFA7E1D6268BBC23E32AA5CF69DF58A5D05F666701F3C0
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........t.....................V................................................................................Rich...........................PE..L......e...........!...&.....P.......b.......p......................................3.....@.........................lt...>...s.......p...................(..$.......................................|d..............................................UPX0....................................UPX1................................@....rsrc....P...p...D..................@......................................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libx264-116.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1080328
                                                                                                  Entropy (8bit):6.546182768824596
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:B99IeBE76bZaCUrF0XbuqIpInZVrUCzfk44dN:B9S+EAZeY/UfP
                                                                                                  MD5:86E88F1FB340A5277C93EA1CE13BBC3A
                                                                                                  SHA1:89AC87A63B5F8FF5510A555F5FB9F033BE6CA684
                                                                                                  SHA-256:36835DDABB167330B4714B106B7C26E8DAC6A9ACF7C48A9967049B0FAA6BC709
                                                                                                  SHA-512:2131686FFAE474AD8A98A20B18DDD5A9E19C86B76FE2F3B4A2E648F3990F43EA4855AD72F2B33C9D89174E23A4FBAE1F9D92EDA0672A32D1FF90E7F3A79AB996
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....TN...........#.........P.....................q.........................p................ ......................p..............................T...(...0...9........................... ..........................P............................text...L...........................`.P`.data...............................@.`..rdata..............................@.`@.rodata..............|..............@.`@.eh_fram ...........................@.0..bss..................................`..edata......p......................@.0@.idata..............................@.0..CRT................................@.0..tls.... .... ......................@.0..reloc...9...0...:..................@.0B........................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppAnnotation.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):6329352
                                                                                                  Entropy (8bit):7.4738813606885115
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:196608:Jt6kO6/VTpHN7Znz3/8ocePOfY0VkOl9By453fA9NBF7QmQVmdYdlkSImp:QDiBFVImdYIE
                                                                                                  MD5:AC2D9A2E18E2E094D7B5CA8E817E3FFF
                                                                                                  SHA1:3371C9E19CCE06550E79C6C8FE679500468B1EC5
                                                                                                  SHA-256:0F23E1B1E15E7C1D4195CB8F2084826AC71D0859FC0DB6B32A5742F91F8F85D3
                                                                                                  SHA-512:1D1C390BEAD73C3D9493BBFFDBAACF1FC28082ED191343BAED84FB7DE47B98DD9AE554453A5A7654180FCDF4BE0D0804D813E7BBF4CE25639166CF476D995853
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........p.5;..f;..f;..f.c.g&..f.c.g:..f.c.g...f.c.g...f.c.g:..f.c.g...f;..f...f=..g(..f=..g!..f=..g...fU..gb..fU..g:..fU.tf:..f;..f:..fU..g:..fRich;..f................PE..L.....f...........!...&.F...nD.....J0.......`................................`......-a...@...........................".p... .".......#.`.:..........l`..(...`^...... .T...................@. ....... .@............`...............................text....E.......F.................. ..`.rdata...u...`...v...J..............@..@.data........"..j....".............@....rsrc...`.:...#...:..*#.............@..@.reloc.......`^.......].............@..B........................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppBrowser.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2005000
                                                                                                  Entropy (8bit):6.624696799511872
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:rwkv3AEJVKqoLUlWLSEs8DpybBXpL3yZBvlO5:rwC3j2qAUlWLSLmpGBXpL3yHlW
                                                                                                  MD5:0D77D0EDAB71BC7CE8548046C6F5A20D
                                                                                                  SHA1:E36342F383ABF011CF58ED60EB13D91BA34E3A34
                                                                                                  SHA-256:BEB0305A0FB9A46968FFB2BC79517A99A576035526C84BDBDF9BE133F011C664
                                                                                                  SHA-512:DED77DCA4844392C1B1DCC15639D0B25F7D63280004FD0F04841C7B3888A3C57A6C87D21D49E2C5CE2896424A10ED8268D279C6DAD75C79CEB534B7722D539C6
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s..7..7..7.....-................6........7..N..1(.$..1(./..1(.]..Y(.<..Y(.6..Y(..6..7.}.6..Y(.6..Rich7..........PE..L....f...........!...&............................................................C.....@.............................<...L........p..hA...........p...(..............p...................@...........@............................................text...u........................... ..`.rdata..............................@..@.data...@........X..................@....rsrc...hA...p...B..................@..@.reloc...............Z..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppCam.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1983496
                                                                                                  Entropy (8bit):6.6299038070846645
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:NIYgCqjym2NozCi6nYZsv/WXS6zuB41zLeBI6J:N7gll1C5nYZsvOXS0s41zLeBIq
                                                                                                  MD5:75AB51BAB8CD08516EB80A3BF7731B02
                                                                                                  SHA1:004A198392505D21FCDFF8BBA03D90496FBC284F
                                                                                                  SHA-256:69B43E8DDB44805F4B8D0DFE96E87AEAF62539222AC3EC3D76A181111C42C8FE
                                                                                                  SHA-512:7FB64882BDDA4E60DBFB73879AE1A6F35E6F6ABBF2E35EE3C599AA4721EA001D026A43AC8AA480E850DEFBE5ABD28A24EB0EEC09F31C433466B70D1C9BEDFACC
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p&{.4G..4G..4G...5...G...5...G...5...G...5..5G...5...G..4G..}D..2...'G..2...#G..2...VF..Z...2G..Z...5G..Z...5G..4G..5G..Z...5G..Rich4G..................PE..L......f...........!...&.............................................................1....@..........................L.. ....M..T....0..PA...............(......`...X...p...............................@...............@............................text............................... ..`.rdata..............................@..@.data...8........V...t..............@....rsrc...PA...0...B..................@..@.reloc..`...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppED.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2106376
                                                                                                  Entropy (8bit):6.6280788769386465
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:y48idMQ9Y5ZcUJ7eUDnfc2/wkj344rVDqef5IIuV4aj:84B9Aew7zDnfc2/Jj344rVDqef5A
                                                                                                  MD5:942C70152BA3244B62A888D6A938BF53
                                                                                                  SHA1:634E1E1BF677583CA95F576CF6B637843B4A1FF6
                                                                                                  SHA-256:54E7615D9793B38A0132A3363A81791D1DCA92E50772919FF341B7537FD6CB6E
                                                                                                  SHA-512:2C1873E205659FCCD575E7E84E710607C7F1F9048F3F20A02135B0BDCB5685ADB81D404E58E03FF141A7B045A02417F7B7349AEE8C2BB3FCAEA7E386C12A0020
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N-...LyL.LyL.LyL.>zM.LyL.>}M.LyL.>|M.LyL.>.M.LyL.>xM!LyL.LxL.OyL..}M.LyL..zM.LyL..|M.MyLd.pM.LyLd.yM.LyLd.L.LyL.L.L.LyLd.{M.LyLRich.LyL........PE..L...,..f...........!...&.....H.......c........................................ ......' ...@......................... ... ...@...|........D...............(...P...!......p...................@...........@............................................text............................... ..`.rdata...9.......:..................@..@.data........P...\...8..............@....rsrc....D.......F..................@..@.reloc...!...P..."..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppFileHound.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2348552
                                                                                                  Entropy (8bit):6.688294936308829
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:HTRAnBdwDzYRzDHUF0GYbijFnrQ/W+52Nc5hM0wTcC1za:HtABCDozDUF0zbijtrQ/W+52S5hM0lCY
                                                                                                  MD5:03C936EF7404BF8AFE5CBA9DE78CB739
                                                                                                  SHA1:B4A5A4FB99A0F8BE1C8EFA19B4FF89353C471686
                                                                                                  SHA-256:4A402E31075D7DA14D666B03B23263A051301341D0118016A72D062FF7045D26
                                                                                                  SHA-512:78B94138FD58009F38E4CE1444FC1EC19A165C32537FED1E84C10767B4F525CFE88C8F42A7F5D9E9529C8175597B9D2001F65BBBA0D6BE364D3ADE39309CEABA
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........P...1...1...1..#C...1..MM...1..MM...1..#C...1..#C..,1..#C...1..#C...1...1..}2.......1.......1......y0...I-..1.......1.......1....Q..1...19..1.......1..Rich.1..........................PE..L...H..f...........!...&.....^...............................................0$.......$...@........................... ...... .......!.`E............#..(....!..5..0...p...........................p...@...............P............................text...B........................... ..`.rdata...9.......:..................@..@.data......... ..^.... .............@....rsrc...`E....!..F...2!.............@..@.reloc...5....!..6...x!.............@..B................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\qrcodelib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):108032
                                                                                                  Entropy (8bit):6.392406183079777
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:4DMkwASAlBbybU8rxkQz/g9pV9Z2dcvxp267OKiY+dp9oL:4oASAv9FYUp3OKiY+n9oL
                                                                                                  MD5:93601A93026211DE5CB00C3827883EEC
                                                                                                  SHA1:931CBC627272361425EFCAEE6362B041A3FF6E3B
                                                                                                  SHA-256:1959B8E79F5BC0AB7451F0F362A714572136503C864C974E1088B1951EE592A1
                                                                                                  SHA-512:53C5F46A1E1F188C429EE686F9CE7E0A8ED5B5BDFA51D8DD3B619B9FD61B8F6EDCC162BCBA667E6336CBED8056F0A17A614170C60059BDB2947770223D19FBC5
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@.....{...{...{.......{.....'.{.......{.....s.{.#.....{...z.f.{.......{.......{.......{.Rich..{.................PE..L....9._...........!.....&...|......P-.......@..................................................................... r..s....k..(...............................l...`A...............................f..@............@.. ............................text....$.......&.................. ..`.rdata...7...@...8...*..............@..@.data....L.......0...b..............@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\reboot.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3221
                                                                                                  Entropy (8bit):5.297235243948338
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:3UoGnVsAdB/+8W3/VcCDO/wAKCRIpCBIweFC4+C/+CYFc:3UoGnVldBWtejp6tL
                                                                                                  MD5:ABE8E3568B6D951E7DD395DA46531932
                                                                                                  SHA1:304D81C1B48E16533EF691A9C965818136B9583C
                                                                                                  SHA-256:EB700422C31C15757A6C70141274A184D291AAC3BDE191A964F75A90BC084143
                                                                                                  SHA-512:19A79D90883103302BDDBAC8A765C6A5196FB78C223D911633285B4BA44EBFFA9C64690102498E3BEF5991DBA0F28847473A44D4F9AA7D637A4C4D3F1EFEA12E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:@ECHO OFF..rem %1 - mode..set RMode=%1....IF NOT defined RMode (.. set RMode=1..)....echo RMode=%RMode%....IF %RMode% EQU 1 goto close_and_open..IF %RMode% EQU 2 goto normal_reboot..IF %RMode% EQU 3 goto reboot_to_safemode..IF %RMode% EQU 4 goto shutdown_byebye..IF %RMode% EQU 5 goto boot_to_normal..IF %RMode% EQU 6 goto boot_to_safemode..IF %RMode% EQU 7 goto normal_reboot_asrs....echo RMode=%RMode%....:close_and_open..net stop splashtopremoteservice & timeout /t 5 & net start splashtopremoteservice..GOTO end....:normal_reboot..SHUTDOWN -t 10 -r -f -c "Your Splashtop admin has issued a reboot."..GOTO end....:normal_reboot_asrs..SHUTDOWN -t 25 -r -f -c "Your Splashtop admin has issued a reboot."..GOTO end....:shutdown_byebye..shutdown -t 10 -s -f..GOTO end....:boot_to_normal..ver..ver | findstr /i "10\.0\.*\." > nul..IF %ERRORLEVEL% EQU 0 goto ver_nt6x_boot_normal..ver | findstr /i "5\.*\." > nul..IF %ERRORLEVEL% EQU 0 goto ver_nt5x_boot_normal..ver | findstr /i "6\.*\." > nul..IF %ER

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\swresample-2.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):194632
                                                                                                  Entropy (8bit):6.700953544041196
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:CgElAKvMslbFN3XCm3dbSDcTn6iw5t4FEvQeXyB8LGeph+K:IFD3dmABw5SFEv/ypeqK
                                                                                                  MD5:4A2F597C15AD595CFD83F8A34A0AB07A
                                                                                                  SHA1:7F6481BE6DDD959ADDE53251FA7E9283A01F0962
                                                                                                  SHA-256:5E756F0F1164B7519D2269AA85E43B435B5C7B92E65ED84E6051E75502F31804
                                                                                                  SHA-512:0E868AD546A6081DE76B4A5CDCC7D457B2F0FB7239DC676C17C46A988A02696B12A9C3A85F627C76E6524F9A3ED25F2D9B8E8764D7E18FC708EAD4475591946F
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................9...................................................................Rich...........................PE..L...4.*b.........."!.................C....... ...............................@............@.........................p...........<.......................H.... ..P.......................................@............ ..d............................text............................... ..`.rdata..N.... ......................@..@.data...............................@....rodata.............................@..@.gfids..............................@..@_RDATA..............................@..@.reloc..P.... ......................@..B................................................................................................................................................................................................

                                                                                                  C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):145968
                                                                                                  Entropy (8bit):5.874150428357998
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                  MD5:477293F80461713D51A98A24023D45E8
                                                                                                  SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                  SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                  SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                  C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1442
                                                                                                  Entropy (8bit):5.076953226383825
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                  MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                  SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                  SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                  SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                  C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3318832
                                                                                                  Entropy (8bit):6.534876879948643
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                  MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                  SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                  SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                  SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                  C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):215088
                                                                                                  Entropy (8bit):6.030864151731967
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                  MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                  SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                  SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                  SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                  C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):710192
                                                                                                  Entropy (8bit):5.96048066969898
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                  MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                  SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                  SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                  SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                  C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):602672
                                                                                                  Entropy (8bit):6.145404526272746
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                  MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                  SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                  SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                  SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                  C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):73264
                                                                                                  Entropy (8bit):5.954475034553661
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                  MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                  SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                  SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                  SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AteraAgent.exe.log

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:CSV text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2402
                                                                                                  Entropy (8bit):5.362731083469072
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:MxHKQg8mHDp684IHTQ06YHKGSI6oPtHTHhAHKKk+HKlT4v1qHGIs0HKaHKmTHlH7:iqzCIzQ06YqGSI6oPtzHeqKk+qZ4vwme
                                                                                                  MD5:28B4BFE9130A35038BD57B2F89847BAE
                                                                                                  SHA1:8DBF9D2800AB08CCA18B4BA00549513282B774A9
                                                                                                  SHA-256:19F498CAE589207075B8C82D7DACEAE23997D61B93A971A4F049DC14C8A3D514
                                                                                                  SHA-512:02100FD4059C4D32FBAAA9CEAACB14C50A4359E4217203B2F7A40E298AD819ED5469F2442291F12852527A2B7109CC5F7BFF7FDAD53BA5ABF75FC5F0474E984F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\434f871c532673e1359654ad68a1c225\System.Configuration.Install.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\a

                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  File Type:CSV text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):651
                                                                                                  Entropy (8bit):5.343677015075984
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
                                                                                                  MD5:7EEF860682F76EC7D541A8C1A3494E3D
                                                                                                  SHA1:58D759A845D2D961A5430E429EF777E60C48C87E
                                                                                                  SHA-256:65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
                                                                                                  SHA-512:BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

                                                                                                  C:\Windows\Installer\6d2160.msi

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2994176
                                                                                                  Entropy (8bit):7.878676550924149
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:U+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:U+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                  MD5:ACD50DA7436621368061ABC2CA6193FE
                                                                                                  SHA1:7C7A9109E7E576CA2975305867937F3575E8D749
                                                                                                  SHA-256:2BA7C24B984423BDA7B4982B3B6E230A6C0F2DAE44B580C6F02D133E625FD3BB
                                                                                                  SHA-512:CB35976890DC5F63CB8307D258CB3FF17FEEBD5D0A113E7091D08408C2842FBC34145DDF3FD4351FD9FE5187DD18906ACCCAA4C189199C688B405B7E3A005DAB
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\6d2162.msi

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2994176
                                                                                                  Entropy (8bit):7.878676550924149
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:U+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:U+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                  MD5:ACD50DA7436621368061ABC2CA6193FE
                                                                                                  SHA1:7C7A9109E7E576CA2975305867937F3575E8D749
                                                                                                  SHA-256:2BA7C24B984423BDA7B4982B3B6E230A6C0F2DAE44B580C6F02D133E625FD3BB
                                                                                                  SHA-512:CB35976890DC5F63CB8307D258CB3FF17FEEBD5D0A113E7091D08408C2842FBC34145DDF3FD4351FD9FE5187DD18906ACCCAA4C189199C688B405B7E3A005DAB
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\6d2163.msi

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2994176
                                                                                                  Entropy (8bit):7.878630966889847
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                  MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                  SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                  SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                  SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\6d216f.msi

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2994176
                                                                                                  Entropy (8bit):7.878630966889847
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                  MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                  SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                  SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                  SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\6d2170.msi

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 936, Title: Installation Database, Subject: Splashtop Streamer, Author: Splashtop Inc., Keywords: Installer,MSI,Database, Comments: Splashtop Streamer Installer, Create Time/Date: Wed Jul 24 16:38:14 2024, Name of Creating Application: InstallShield?2021 27, Security: 1, Template: Intel;0,1033,2052,1028,1036,1031,1040,1041,1042,1046,1049,1034, Last Saved By: Intel;2052, Revision Number: {B7C5EA94-B96A-41F5-BE95-25D78B486678}3.7.0.1;{B7C5EA94-B96A-41F5-BE95-25D78B486678}3.7.0.1;{001F085C-058A-480B-AD56-2940B857C38D}, Number of Pages: 200, Number of Characters: 1
                                                                                                  Category:dropped
                                                                                                  Size (bytes):49613312
                                                                                                  Entropy (8bit):7.959491759228612
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:786432:/TVOuIdnXeYOf9QBOgMqoaen728gEb4dIgEdj8SmIqm50m:bVO+4bvXQ/mo50m
                                                                                                  MD5:639743F4492FEBF52CC9A446AB8F34E2
                                                                                                  SHA1:8486BE67E38B7FC0C12CEAD56A924F843296C02A
                                                                                                  SHA-256:2E9795EB82BDCC44F6535AEF7D06E60778DA018F849443C3B5E38D551CB2857F
                                                                                                  SHA-512:AA55D5EE9682F51B97165E3908AB26859EC9D8BD05D8679AB1B5BF3F5EDD9AAED35813C52C4D9B0C3C0343D838914790689911A435BDB8D3067892633A9316A1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...................................8........6........................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-......./.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........;...................eu.............................................................................................. ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...B...M...:...<.......=...........@...A...0...C...D...E...F...G...H...I...J...N...L...........O...P...Q...R...S...T...U...Z...W...X...Y...Mt..[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                  C:\Windows\Installer\6d2173.msi

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 936, Title: Installation Database, Subject: Splashtop Streamer, Author: Splashtop Inc., Keywords: Installer,MSI,Database, Comments: Splashtop Streamer Installer, Create Time/Date: Wed Jul 24 16:38:14 2024, Name of Creating Application: InstallShield?2021 27, Security: 1, Template: Intel;0,1033,2052,1028,1036,1031,1040,1041,1042,1046,1049,1034, Last Saved By: Intel;2052, Revision Number: {B7C5EA94-B96A-41F5-BE95-25D78B486678}3.7.0.1;{B7C5EA94-B96A-41F5-BE95-25D78B486678}3.7.0.1;{001F085C-058A-480B-AD56-2940B857C38D}, Number of Pages: 200, Number of Characters: 1
                                                                                                  Category:dropped
                                                                                                  Size (bytes):49613312
                                                                                                  Entropy (8bit):7.959491759228612
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:786432:/TVOuIdnXeYOf9QBOgMqoaen728gEb4dIgEdj8SmIqm50m:bVO+4bvXQ/mo50m
                                                                                                  MD5:639743F4492FEBF52CC9A446AB8F34E2
                                                                                                  SHA1:8486BE67E38B7FC0C12CEAD56A924F843296C02A
                                                                                                  SHA-256:2E9795EB82BDCC44F6535AEF7D06E60778DA018F849443C3B5E38D551CB2857F
                                                                                                  SHA-512:AA55D5EE9682F51B97165E3908AB26859EC9D8BD05D8679AB1B5BF3F5EDD9AAED35813C52C4D9B0C3C0343D838914790689911A435BDB8D3067892633A9316A1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...................................8........6........................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-......./.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........;...................eu.............................................................................................. ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...B...M...:...<.......=...........@...A...0...C...D...E...F...G...H...I...J...N...L...........O...P...Q...R...S...T...U...Z...W...X...Y...Mt..[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                  C:\Windows\Installer\MSI1667.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                  Category:dropped
                                                                                                  Size (bytes):521954
                                                                                                  Entropy (8bit):7.356225107100806
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                  MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                  SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                  SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                  SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI1667.tmp-\AlphaControlAgentInstallation.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25600
                                                                                                  Entropy (8bit):5.009968638752024
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                  MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                  SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                  SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                  SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI1667.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                  C:\Windows\Installer\MSI1667.tmp-\CustomAction.config

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1538
                                                                                                  Entropy (8bit):4.735670966653348
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                  MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                  SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                  SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                  SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                  C:\Windows\Installer\MSI1667.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):184240
                                                                                                  Entropy (8bit):5.876033362692288
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                  MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                  SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                  SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                  SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI1667.tmp-\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):711952
                                                                                                  Entropy (8bit):5.96669864901384
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                  MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                  SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                  SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                  SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                  C:\Windows\Installer\MSI1667.tmp-\System.Management.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):61448
                                                                                                  Entropy (8bit):6.332072334718381
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                  MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                  SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                  SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                  SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                  C:\Windows\Installer\MSI1C83.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                  Category:dropped
                                                                                                  Size (bytes):521954
                                                                                                  Entropy (8bit):7.356225107100806
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                  MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                  SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                  SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                  SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI2299.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                  Category:dropped
                                                                                                  Size (bytes):521954
                                                                                                  Entropy (8bit):7.356225107100806
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                  MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                  SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                  SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                  SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI2299.tmp-\AlphaControlAgentInstallation.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25600
                                                                                                  Entropy (8bit):5.009968638752024
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                  MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                  SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                  SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                  SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI2299.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                  C:\Windows\Installer\MSI2299.tmp-\CustomAction.config

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1538
                                                                                                  Entropy (8bit):4.735670966653348
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                  MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                  SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                  SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                  SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                  C:\Windows\Installer\MSI2299.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):184240
                                                                                                  Entropy (8bit):5.876033362692288
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                  MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                  SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                  SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                  SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI2299.tmp-\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):711952
                                                                                                  Entropy (8bit):5.96669864901384
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                  MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                  SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                  SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                  SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                  C:\Windows\Installer\MSI2299.tmp-\System.Management.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):61448
                                                                                                  Entropy (8bit):6.332072334718381
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                  MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                  SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                  SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                  SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                  C:\Windows\Installer\MSI2703.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                  Category:dropped
                                                                                                  Size (bytes):521954
                                                                                                  Entropy (8bit):7.356225107100806
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                  MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                  SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                  SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                  SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI2828.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                  Category:dropped
                                                                                                  Size (bytes):521954
                                                                                                  Entropy (8bit):7.356225107100806
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                  MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                  SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                  SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                  SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI2828.tmp-\AlphaControlAgentInstallation.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25600
                                                                                                  Entropy (8bit):5.009968638752024
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                  MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                  SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                  SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                  SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI2828.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                  C:\Windows\Installer\MSI2828.tmp-\CustomAction.config

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1538
                                                                                                  Entropy (8bit):4.735670966653348
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                  MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                  SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                  SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                  SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                  C:\Windows\Installer\MSI2828.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):184240
                                                                                                  Entropy (8bit):5.876033362692288
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                  MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                  SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                  SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                  SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI2828.tmp-\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):711952
                                                                                                  Entropy (8bit):5.96669864901384
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                  MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                  SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                  SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                  SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                  C:\Windows\Installer\MSI2828.tmp-\System.Management.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):61448
                                                                                                  Entropy (8bit):6.332072334718381
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                  MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                  SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                  SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                  SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                  C:\Windows\Installer\MSI3099.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):436006
                                                                                                  Entropy (8bit):6.651538835509769
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:4t3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4Kse:wzOE2Z34KGzOE2Z34K5
                                                                                                  MD5:84FEFB939718F3BE0D4BFD2AF2887C56
                                                                                                  SHA1:0DDB8AB0B7AF3368F7652C64F47D32D8172F6583
                                                                                                  SHA-256:6952DDE43449589801D32CF886AD37BAE77DCCA19A140971FE7A6D73833FF0C2
                                                                                                  SHA-512:6480FF2FEB432FF302C525EEBCC4A3D8AFD2A77944B74FF8B4CA38558088EB132517865B7385A6B68C84A6F08DFAB8EFDE7FB95415F653A395A45F962FC61A84
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI3099.tmp, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:...@IXOS.@.....@i..Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent6.SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........InstallInitialize......&.{18F64F52-CE08-434F-A5F1-7A8A39D59EEA}....&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}c.&.{18F64F52-CE08-434F-A5F1-7A8A39D59EEA}............StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P.........................................

                                                                                                  C:\Windows\Installer\MSI30B9.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):216496
                                                                                                  Entropy (8bit):6.646208142644182
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                  MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                  SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                  SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                  SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI31D4.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):216496
                                                                                                  Entropy (8bit):6.646208142644182
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                  MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                  SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                  SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                  SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI3242.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):216496
                                                                                                  Entropy (8bit):6.646208142644182
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                  MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                  SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                  SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                  SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI35E4.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                  Category:dropped
                                                                                                  Size (bytes):521954
                                                                                                  Entropy (8bit):7.356225107100806
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                  MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                  SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                  SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                  SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI35E4.tmp-\AlphaControlAgentInstallation.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25600
                                                                                                  Entropy (8bit):5.009968638752024
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                  MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                  SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                  SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                  SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI35E4.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI35E4.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI35E4.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                  C:\Windows\Installer\MSI35E4.tmp-\CustomAction.config

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1538
                                                                                                  Entropy (8bit):4.735670966653348
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                  MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                  SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                  SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                  SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                  C:\Windows\Installer\MSI35E4.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):184240
                                                                                                  Entropy (8bit):5.876033362692288
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                  MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                  SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                  SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                  SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI35E4.tmp-\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):711952
                                                                                                  Entropy (8bit):5.96669864901384
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                  MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                  SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                  SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                  SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                  C:\Windows\Installer\MSI35E4.tmp-\System.Management.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):61448
                                                                                                  Entropy (8bit):6.332072334718381
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                  MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                  SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                  SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                  SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                  C:\Windows\Installer\MSI37F9.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):437371
                                                                                                  Entropy (8bit):6.648162831846116
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:Et3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4Ksy:0zOE2Z34KGzOE2Z34K5
                                                                                                  MD5:CF0D696752CC7DFE57DDDF2DDD5CAB15
                                                                                                  SHA1:585FFB76AA34834DC46EAED4DB712CAA0EA08C60
                                                                                                  SHA-256:EA5C433F75C9672EAC1BE406A79F0E51A9D0BAA6B680DCCF5D1DA5C584199D7F
                                                                                                  SHA-512:4C203E9BA7CDE56DF8FDA5AB3EA861602FDABAA4762374A18F0E84FD5C6399A7234394E079068F5A247EFE0361E6A1C22B799521DE394ACB986B85FD2D0D0A92
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI37F9.tmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI37F9.tmp, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:...@IXOS.@.....@G..Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent6.SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<...............

                                                                                                  C:\Windows\Installer\MSI3809.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):216496
                                                                                                  Entropy (8bit):6.646208142644182
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                  MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                  SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                  SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                  SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI3887.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):216496
                                                                                                  Entropy (8bit):6.646208142644182
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                  MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                  SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                  SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                  SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI3973.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):216496
                                                                                                  Entropy (8bit):6.646208142644182
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                  MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                  SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                  SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                  SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI4A4F.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):437217
                                                                                                  Entropy (8bit):6.647817725656691
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:vt3jOZy2KsGU6a4Kspt3jOZy2KsGU6a4Ksj:VzOE2Z34K+zOE2Z34Ke
                                                                                                  MD5:9AE781A5271CD03750DFAEF7FABF35DB
                                                                                                  SHA1:9A95015E795457D5A041E132157D21DC138D6D0D
                                                                                                  SHA-256:4398D525961971D3A6413352DFA6DA1453B6E86709C79F822BC870F0DF64D1A3
                                                                                                  SHA-512:43EF598190A960E24882EA87922191816652B1BE5DC6AE467A5C8FF6933012965C0C5E126A54C7E46F365817173F365B5FD444B197E2B20ADC20E0DAFEBB8836
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI4A4F.tmp, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:...@IXOS.@.....@l..Y.@.....@.....@.....@.....@.....@......&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}..AteraAgent..ateraAgentSetup64_1_8_7_2.msi.@.....@.....@.....@........&.{911E9E2F-B38D-4D02-A148-5E49FC9D8943}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[....

                                                                                                  C:\Windows\Installer\MSI4A60.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):216496
                                                                                                  Entropy (8bit):6.646208142644182
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                  MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                  SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                  SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                  SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI4ACE.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):216496
                                                                                                  Entropy (8bit):6.646208142644182
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                  MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                  SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                  SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                  SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI4B4C.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):216496
                                                                                                  Entropy (8bit):6.646208142644182
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                  MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                  SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                  SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                  SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI4EF0.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                  Category:dropped
                                                                                                  Size (bytes):521954
                                                                                                  Entropy (8bit):7.356225107100806
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                  MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                  SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                  SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                  SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI4EF0.tmp-\AlphaControlAgentInstallation.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25600
                                                                                                  Entropy (8bit):5.009968638752024
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                  MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                  SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                  SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                  SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI4EF0.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                  C:\Windows\Installer\MSI4EF0.tmp-\CustomAction.config

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1538
                                                                                                  Entropy (8bit):4.735670966653348
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                  MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                  SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                  SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                  SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                  C:\Windows\Installer\MSI4EF0.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):184240
                                                                                                  Entropy (8bit):5.876033362692288
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                  MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                  SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                  SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                  SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI4EF0.tmp-\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):711952
                                                                                                  Entropy (8bit):5.96669864901384
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                  MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                  SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                  SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                  SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                  C:\Windows\Installer\MSI4EF0.tmp-\System.Management.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):61448
                                                                                                  Entropy (8bit):6.332072334718381
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                  MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                  SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                  SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                  SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                  C:\Windows\Installer\MSI5020.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                  Category:dropped
                                                                                                  Size (bytes):521954
                                                                                                  Entropy (8bit):7.356225107100806
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                  MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                  SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                  SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                  SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSIA8EF.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):182768
                                                                                                  Entropy (8bit):6.29474871459677
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:M3hCcV2YVWR8xSSIqeCjEIz+hZvgvE5Q+yq8MPdJ0xH:ErTz9Pj/Ag/+XPw
                                                                                                  MD5:9ED1749276D20BE78D5E7A30D658C484
                                                                                                  SHA1:EAAEA2656A63366A888955CE030E091FEA70F0F6
                                                                                                  SHA-256:61F398C652504FEE07AF12AC50D4A70ECFF641234A4EDA59C68EC937B6D80C96
                                                                                                  SHA-512:33ACF0BDBD1F33526D348A47BC00963843FC72EB203DF07D0136110109C892FB20AA9D3147204F958B95D750F7F98EB5DF3C387ED4B8802B7F929F201B41E90F
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x......................K.......................n...............nz.....K.......K.......K.........T.....K.......Rich....................PE..L....7.d...........!.................................................................I....@..........................E..a....6..........p................-......t...................................h...@............................................text............................... ..`.rdata..............................@..@.data...41...P.......:..............@....rsrc...p............L..............@..@.reloc...H.......J...R..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSIA92F.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):171064
                                                                                                  Entropy (8bit):6.093983981233022
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:jq44uv69SIrScxe0IZNJ+x+uk+hZPDFNkXAO4VR:jfn2Slcxe0Fc9CcQO2
                                                                                                  MD5:E80F90724939D4F85FC49DE2460B94B5
                                                                                                  SHA1:512EA4DEBA1C97CC7EC394BCE0E4A32CD497176E
                                                                                                  SHA-256:8041D3CCBAFA491D35F70030C3AFEBA683B0235BED24F242878D04C7E87B8687
                                                                                                  SHA-512:9494F1CD058DC3923E4F562D8ED2EDF3D252F519EFC6DB4F1B5289D8A1B841A6CB927E14D33DAB98E0BD4D22A5A473B8CD9424F77213527FBE0C183126356767
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._`,"..Bq..Bq..Bq..q..Bq<.q..Bq..q..Bq..q/.Bq..qh.Bq.y.q..Bq.y.q..Bq..Cq..Bq..q..Bq..q..Bq..q..Bq...q..Bq..q..BqRich..Bq........PE..L...`.a...........!.....p...$.....................................................P...................................m............`..p............x..8$...p.. .......................................@............................................text....o.......p.................. ..`.rdata..M............t..............@..@.data....1... ......................@....rsrc...p....`.......$..............@..@.reloc...L...p...N...*..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSIA9FB.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4716331
                                                                                                  Entropy (8bit):7.577108587755452
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:98304:k3H5BNwueVRfsqc+cCD+EATIStpnSbkGPCpt4a3yRJbs4OIM5:k3H5BNMsNi+pn7d4aOtGZ
                                                                                                  MD5:ED1AD76A6A0B2F8A3D9819256297FD89
                                                                                                  SHA1:9B1773C2D4D2ABE0DB5A5D72746ECD4F28F81EDC
                                                                                                  SHA-256:377EF03FDDCD6B14A3C93D8C574A16091590008B6D4149F9CE4A7ECAD7008B92
                                                                                                  SHA-512:9B7D2E9D56674971580A22C912B858FCB305D1DC19CC6F8087C11FFC161D2D97338F7DF1C73C586E6ABC763A3673D2795EFB1B0A7A657A4CFDD68C57AA640DBB
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h.[...[...[....;..R....:..C....;..Z....:.......:..........\.......Z......^.......L...[........;..#....;..Z....;..Z...[...Z....;..Z...Rich[...........PE..L....;.d...........!.....l...........[....................................................@.............................g;...a.......p.......................P...7......8............................ ..@...............H...H\.......................text...2f.......h.................. ..`.orpc... ............l.............. ..`.rdata..w3.......4...p..............@..@.data...............................@....rsrc........p......................@..@.reloc..f(...P...*...r..............@..B........................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSIB640.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4716331
                                                                                                  Entropy (8bit):7.577108587755452
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:98304:k3H5BNwueVRfsqc+cCD+EATIStpnSbkGPCpt4a3yRJbs4OIM5:k3H5BNMsNi+pn7d4aOtGZ
                                                                                                  MD5:ED1AD76A6A0B2F8A3D9819256297FD89
                                                                                                  SHA1:9B1773C2D4D2ABE0DB5A5D72746ECD4F28F81EDC
                                                                                                  SHA-256:377EF03FDDCD6B14A3C93D8C574A16091590008B6D4149F9CE4A7ECAD7008B92
                                                                                                  SHA-512:9B7D2E9D56674971580A22C912B858FCB305D1DC19CC6F8087C11FFC161D2D97338F7DF1C73C586E6ABC763A3673D2795EFB1B0A7A657A4CFDD68C57AA640DBB
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h.[...[...[....;..R....:..C....;..Z....:.......:..........\.......Z......^.......L...[........;..#....;..Z....;..Z...[...Z....;..Z...Rich[...........PE..L....;.d...........!.....l...........[....................................................@.............................g;...a.......p.......................P...7......8............................ ..@...............H...H\.......................text...2f.......h.................. ..`.orpc... ............l.............. ..`.rdata..w3.......4...p..............@..@.data...............................@....rsrc........p......................@..@.reloc..f(...P...*...r..............@..B........................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSIB8B2.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):563441
                                                                                                  Entropy (8bit):5.784176458640699
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:Ew9f7f8m8end5Xy+1kvI8k9W91iVXuXskIh6:E0h8edk+1kv5K+Wh6
                                                                                                  MD5:3B5EF2FBE32D21D316BBF44291177373
                                                                                                  SHA1:1D960BD1DE785E40004A2815F33904C78FCFC4E4
                                                                                                  SHA-256:38CBB192DAA897A04A472B2F8CDDBDF16A2753E1407F6C512FC212065FB77CC0
                                                                                                  SHA-512:DEEDD325B271685EF67CFE46CBE7063EF572F55A3231613AA9557C96A20C586CFCAE4951D0E02B286AFE949C81B49F8A11894891D0BBA6C550FF394665EB58C5
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:...@IXOS.@.....@z..Y.@.....@.....@.....@.....@.....@......&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}..Splashtop Streamer..setup.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{1FFB34B4-02B4-4EEE-ACA4-24941A8EDEE5}.....@.....@.....@.....@.......@.....@.....@.......@......Splashtop Streamer......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{3D8827C3-3F73-4AD7-9420-7CA93653C8F2}2.C:\Program Files (x86)\Splashtop\Splashtop Remote\.@.......@.....@.....@......&.{61B538AB-B209-C01B-F95C-B0A0531054D2}M.C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Acknowledgements.htm.@.......@.....@.....@......&.{3742F778-8BAC-9729-A5BE-712DA9BEB95A}@.C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\.@.......@.....@.....@......&.{ADBB7064-411F-E593-D901-EACB3BA8154E}Z.C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\install_dr

                                                                                                  C:\Windows\Installer\MSIE07F.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14149796
                                                                                                  Entropy (8bit):7.5770846300289305
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:393216:zBdi+17iaOtG4Bdi+17iaOtGpBdi+17iaOtGC:F7ZOtB7ZOta7ZOtX
                                                                                                  MD5:8B889E98894319DA7626DF7BDCC9DB8F
                                                                                                  SHA1:BDC1F798273459E3B64517E855EE7BAD276D4AF2
                                                                                                  SHA-256:AD807EF9A54A67691AA6AA40CC950268D3BE7C95996D2D77DD56AA01E2BE5223
                                                                                                  SHA-512:A7C5DBEADA6384D6389433719BDB600CA215DC28DADC1CBE8D099A850D189EE45476633C837B718973BAE6DA2C68654BD645C50B2B1AB950B0AB261227CE2127
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:...@IXOS.@.....@...Y.@.....@.....@.....@.....@.....@......&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}..Splashtop Streamer..setup.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{1FFB34B4-02B4-4EEE-ACA4-24941A8EDEE5}.....@.....@.....@.....@.......@.....@.....@.......@......Splashtop Streamer......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........Util_UpdateSetting....J...Util_UpdateSetting.@......+.G.MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h.[...[...[....;..R....:..C....;..Z....:.......:..........\.......Z......^.......L...[........;..#....;..Z....;..Z...[...Z....;..Z...Rich[...........PE..L....;.d...........!.....l...........[....................................................@.............................g;...a.......p.......................P...7......8............................ ..@...............H...H\.......................text...2f...

                                                                                                  C:\Windows\Installer\MSIE514.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4716331
                                                                                                  Entropy (8bit):7.577108587755452
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:98304:k3H5BNwueVRfsqc+cCD+EATIStpnSbkGPCpt4a3yRJbs4OIM5:k3H5BNMsNi+pn7d4aOtGZ
                                                                                                  MD5:ED1AD76A6A0B2F8A3D9819256297FD89
                                                                                                  SHA1:9B1773C2D4D2ABE0DB5A5D72746ECD4F28F81EDC
                                                                                                  SHA-256:377EF03FDDCD6B14A3C93D8C574A16091590008B6D4149F9CE4A7ECAD7008B92
                                                                                                  SHA-512:9B7D2E9D56674971580A22C912B858FCB305D1DC19CC6F8087C11FFC161D2D97338F7DF1C73C586E6ABC763A3673D2795EFB1B0A7A657A4CFDD68C57AA640DBB
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h.[...[...[....;..R....:..C....;..Z....:.......:..........\.......Z......^.......L...[........;..#....;..Z....;..Z...[...Z....;..Z...Rich[...........PE..L....;.d...........!.....l...........[....................................................@.............................g;...a.......p.......................P...7......8............................ ..@...............H...H\.......................text...2f.......h.................. ..`.orpc... ............l.............. ..`.rdata..w3.......4...p..............@..@.data...............................@....rsrc........p......................@..@.reloc..f(...P...*...r..............@..B........................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSIF486.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4716331
                                                                                                  Entropy (8bit):7.577108587755452
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:98304:k3H5BNwueVRfsqc+cCD+EATIStpnSbkGPCpt4a3yRJbs4OIM5:k3H5BNMsNi+pn7d4aOtGZ
                                                                                                  MD5:ED1AD76A6A0B2F8A3D9819256297FD89
                                                                                                  SHA1:9B1773C2D4D2ABE0DB5A5D72746ECD4F28F81EDC
                                                                                                  SHA-256:377EF03FDDCD6B14A3C93D8C574A16091590008B6D4149F9CE4A7ECAD7008B92
                                                                                                  SHA-512:9B7D2E9D56674971580A22C912B858FCB305D1DC19CC6F8087C11FFC161D2D97338F7DF1C73C586E6ABC763A3673D2795EFB1B0A7A657A4CFDD68C57AA640DBB
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h.[...[...[....;..R....:..C....;..Z....:.......:..........\.......Z......^.......L...[........;..#....;..Z....;..Z...[...Z....;..Z...Rich[...........PE..L....;.d...........!.....l...........[....................................................@.............................g;...a.......p.......................P...7......8............................ ..@...............H...H\.......................text...2f.......h.................. ..`.orpc... ............l.............. ..`.rdata..w3.......4...p..............@..@.data...............................@....rsrc........p......................@..@.reloc..f(...P...*...r..............@..B........................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSIF717.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:modified
                                                                                                  Size (bytes):4716331
                                                                                                  Entropy (8bit):7.577108587755452
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:98304:k3H5BNwueVRfsqc+cCD+EATIStpnSbkGPCpt4a3yRJbs4OIM5:k3H5BNMsNi+pn7d4aOtGZ
                                                                                                  MD5:ED1AD76A6A0B2F8A3D9819256297FD89
                                                                                                  SHA1:9B1773C2D4D2ABE0DB5A5D72746ECD4F28F81EDC
                                                                                                  SHA-256:377EF03FDDCD6B14A3C93D8C574A16091590008B6D4149F9CE4A7ECAD7008B92
                                                                                                  SHA-512:9B7D2E9D56674971580A22C912B858FCB305D1DC19CC6F8087C11FFC161D2D97338F7DF1C73C586E6ABC763A3673D2795EFB1B0A7A657A4CFDD68C57AA640DBB
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h.[...[...[....;..R....:..C....;..Z....:.......:..........\.......Z......^.......L...[........;..#....;..Z....;..Z...[...Z....;..Z...Rich[...........PE..L....;.d...........!.....l...........[....................................................@.............................g;...a.......p.......................P...7......8............................ ..@...............H...H\.......................text...2f.......h.................. ..`.orpc... ............l.............. ..`.rdata..w3.......4...p..............@..@.data...............................@....rsrc........p......................@..@.reloc..f(...P...*...r..............@..B........................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\SourceHash{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20480
                                                                                                  Entropy (8bit):1.1725017091742065
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:JSbX72FjFliAGiLIlHVRpIh/7777777777777777777777777vDHFzTPrfWrl0i5:JDIQI5wBTr/F
                                                                                                  MD5:A7857DA32E808378FC0B35ADEA881BB2
                                                                                                  SHA1:4B47E95E0C8E3AE5F235844E64F9A11FB785D487
                                                                                                  SHA-256:9AFCF836C828F5E8885F63773C23C24E8552CE9299B8510E04B4FE344B9ABABB
                                                                                                  SHA-512:3E75BC36966F9E9B04DC1D104068269863865DBC16DDE26D8B695F08E6435F1B35615B3AF0CEEAE22A7ED0CF4C669D897533EEF9376647B4D77B471F49F1CEA2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20480
                                                                                                  Entropy (8bit):1.19156790280031
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:JSbX72FjvlsXAlfLIlHmRpxh+7777777777777777777777777ZDHF12sb+iQaRm:JJIUIYECsKz+HF
                                                                                                  MD5:CB88AEA5C3A0981FAF3C1C18D92BC001
                                                                                                  SHA1:13D70F78AF5497FC05764F26E0CA96106CE59350
                                                                                                  SHA-256:91E1FD614F157135680CF129F5650305993B4EE067657345C7D74B956574D14A
                                                                                                  SHA-512:FA335558BB6CA561B36C839D7306DF69693BAA82C1EFD04BAF569C52F7E32725C2CC580791AE900FF5A77E546A44E38B5413EFB2BDBDE393CD291145EDAB277A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20480
                                                                                                  Entropy (8bit):1.3019562334099102
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:JSrO38PhMuh3iFip1GE2yza2t4KAQBHofagUMClXte7+oAWS+NdXwZymiL:YY8PhMuRc06WXOCFT5OXAWSQXwZy9
                                                                                                  MD5:95A5089D8C9D4A8643A251BB52E653DD
                                                                                                  SHA1:9ED55A6A254B99D811A92F47C5A61F296F1B9268
                                                                                                  SHA-256:30267135EFDF51229705EF83193EA6A6F4453F3825DCF1DD4688471DF875F292
                                                                                                  SHA-512:01767BC2BD358585635884D867045106C63E8FFA484646CA22BBDE1E03C53FA581C46D81DBBA19B105536E0EB4FAC8890F151D89A5918E3610B188CD55DEB958
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):454656
                                                                                                  Entropy (8bit):5.348929773767357
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:D7f8m8end5Xy+1kvI8k9W91iVXuXskIhT:/h8edk+1kv5K+WhT
                                                                                                  MD5:149336F319D9AE2CA49E49FC61E834AC
                                                                                                  SHA1:E00591F432E8B306A349D76BF280736E4509E49F
                                                                                                  SHA-256:9E06D2D011DA7F988CF974584BB9F2D780D2460DAE92B02FF13F50FC2B3ED2E8
                                                                                                  SHA-512:BF7BC7C5FCD881C2A2E19914A0C3D765BED36D63C3FF0D60C07DA4CB8072F45DA3BC0DE7605BFE83B23E0572F1B700C0B613C049DC613F7470C095AE7EC9931D
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L......a.................@...................P....@.........................................................................4T..(........^...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....^.......`..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):360001
                                                                                                  Entropy (8bit):5.362993823095571
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauc:zTtbmkExhMJCIpEd
                                                                                                  MD5:41878F7AD881B4FCA8AC9DCAE235C5AF
                                                                                                  SHA1:BA9CFFB1AA2F3BFE34CE3491B404920CBFF618F1
                                                                                                  SHA-256:C776953E9C07ABDA51978D8C2F31FB0DF90B8B9CB94B003055EB954844C6007C
                                                                                                  SHA-512:6E634DF668FE23ABF33BE57094605738F2B98C236289648118AEAFD4118D31D5AF6D8508BC200AB3C1422F3E9F3180132B66A3500382261A3282797674C707AD
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                  C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  File Type:CSV text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):651
                                                                                                  Entropy (8bit):5.343677015075984
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
                                                                                                  MD5:7EEF860682F76EC7D541A8C1A3494E3D
                                                                                                  SHA1:58D759A845D2D961A5430E429EF777E60C48C87E
                                                                                                  SHA-256:65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
                                                                                                  SHA-512:BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

                                                                                                  C:\Windows\System32\InstallUtil.InstallLog

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):704
                                                                                                  Entropy (8bit):4.805280550692434
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:tIDRFK4mAX7RBem7hccD+PRem7hUhiiGNGNdg6MhgRBem7hccD+PRem7hUGNGNkm:Us43XVBVhcmMRVhMipNVeBVhcmMRVhro
                                                                                                  MD5:EF51E16A5B81AB912F2478FE0A0379D6
                                                                                                  SHA1:B0F9E2EE284DD1590EA31B2D3AD736D77B9FC6A7
                                                                                                  SHA-256:2C5D5397CEDF66DB724FED7FB4515B026A894F517A0DFBE8AE8ADF52DB61AA22
                                                                                                  SHA-512:296A11DB55BFEE7D87897BB63BC9E2C05786D3FD73A894DA5AF76F7A756495C6CCC0959C88844DFB5560DE2374A257201D960E004EC09D8C9DFB50952C5EF2D2
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\System32\InstallUtil.InstallLog, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:...Running a transacted installation.....Beginning the Install phase of the installation...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Install phase completed successfully, and the Commit phase is beginning...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Commit phase completed successfully.....The transacted install has completed...

                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1A374813EDB1A6631387E414D3E73232

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):100236
                                                                                                  Entropy (8bit):6.447418317443777
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:iHl6E09HMzatQFfZNt0zfIagnbSLDII+D61Sg:iF6d9HcSQZN+gbE8pD61T
                                                                                                  MD5:E190CBB3AB0736B4AC4C571BE07A76F7
                                                                                                  SHA1:D32D05FC2211DA5D9108B9338593B8755281E091
                                                                                                  SHA-256:454A15141A13B68637B7BD24A65377BDAB9C685D6248FE3A0614F0CCB80405B2
                                                                                                  SHA-512:17B39FC639DCCB7F727DC402B6B14E39AAFFEDF3A8AA2E77FF270085D5DCAE81C0C4393E8095B462BCF2B65A73ABB08D3BCCA0CD8AEC27EE980D745C97820351
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0....0...n...0...*.H........0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1..240815122055Z..240822122055Z0....0!.......0.E....[0...210531000001Z0!...7g...(..^`.x.l...210531000001Z0!...\./M.8..>.f.....210531000001Z0!...*B.Sh...f...s.0..210531000001Z0!..../n...h..7....>..210601000001Z0!....0..>5..aN.u{D..210601000001Z0!...-...qpWa.!n.....210601000001Z0!..."f...\..N.....X..210601000001Z0!...in.H...[u...]....210602000001Z0!......`......._.]...210602000001Z0!...{..e..i......=..210602000001Z0!......S....fNj'.wy..210602000001Z0!......C.lm..B.*.....210602000001Z0!... .}...|.,dk...+..210603000001Z0!...U.K....o.".Rj..210603000001Z0!.....A...K.ZpK..'h..210603000001Z0!.....&}{ ......l..210603000001Z0!...:.m...I.p.;..v..210604000001Z0!...1"uw3..Gou.qg.q..210607000001Z0!...1.o}...c/...-R}..210608000001Z0!................210608000001Z0!...[.N.d............210609000001Z0!......x..i........210610000001Z0!...(... (..#.^.f...210

                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\329B6147266C1E26CD774EA22B79EC2E

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):100236
                                                                                                  Entropy (8bit):6.447418317443777
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:iHl6E09HMzatQFfZNt0zfIagnbSLDII+D61Sg:iF6d9HcSQZN+gbE8pD61T
                                                                                                  MD5:E190CBB3AB0736B4AC4C571BE07A76F7
                                                                                                  SHA1:D32D05FC2211DA5D9108B9338593B8755281E091
                                                                                                  SHA-256:454A15141A13B68637B7BD24A65377BDAB9C685D6248FE3A0614F0CCB80405B2
                                                                                                  SHA-512:17B39FC639DCCB7F727DC402B6B14E39AAFFEDF3A8AA2E77FF270085D5DCAE81C0C4393E8095B462BCF2B65A73ABB08D3BCCA0CD8AEC27EE980D745C97820351
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0....0...n...0...*.H........0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1..240815122055Z..240822122055Z0....0!.......0.E....[0...210531000001Z0!...7g...(..^`.x.l...210531000001Z0!...\./M.8..>.f.....210531000001Z0!...*B.Sh...f...s.0..210531000001Z0!..../n...h..7....>..210601000001Z0!....0..>5..aN.u{D..210601000001Z0!...-...qpWa.!n.....210601000001Z0!..."f...\..N.....X..210601000001Z0!...in.H...[u...]....210602000001Z0!......`......._.]...210602000001Z0!...{..e..i......=..210602000001Z0!......S....fNj'.wy..210602000001Z0!......C.lm..B.*.....210602000001Z0!... .}...|.,dk...+..210603000001Z0!...U.K....o.".Rj..210603000001Z0!.....A...K.ZpK..'h..210603000001Z0!.....&}{ ......l..210603000001Z0!...:.m...I.p.;..v..210604000001Z0!...1"uw3..Gou.qg.q..210607000001Z0!...1.o}...c/...-R}..210608000001Z0!................210608000001Z0!...[.N.d............210609000001Z0!......x..i........210610000001Z0!...(... (..#.^.f...210

                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):471
                                                                                                  Entropy (8bit):7.239006619646905
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:JyYO5t5GLsHeIbyBso5RbQwtiveX+SX5RgEqb:JRO5tILs9boslHvg+So
                                                                                                  MD5:D2C6B81BDF464C289C2E4C809D288252
                                                                                                  SHA1:117E93E73DC861209B6E929A48DD21A3BA87319D
                                                                                                  SHA-256:72ED915E287D537595A79423587F7A3BDA63160E9D8D5A8FF0C175076A9E7F58
                                                                                                  SHA-512:38A0F4ECBD5A2BF6A58F88B8FDC444AAAE0CAB0A61265588A3C818C6D073853DC92DB29C0729064E7AA01897E818C7B8F8342E25E72087BAB37A3932E9B9752C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0..........0.....+.....0......0...0......E....1-Q...!..m....20240814165849Z0s0q0I0...+...........@..D3=?..Mn8...Q..E....1-Q...!..m..........-...P..@.Z....20240814165849Z....20240821165849Z0...*.H.............n...6N....v..0*w$f..P.J..z.X.o.6...Jc.)...v.$R.\....T..Qd)\{1.\.pP.......qC....S...C p].hx.\aP......+..L{0>.._.G.......B,..1..xj1Y..?...[2.t.Al.P.u....Q.9...!.&.l.`.UZ....I.2...S...2r..2.5Z.r.'.~(.......H.%......7.s.........s.DmM].~.b....".

                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):727
                                                                                                  Entropy (8bit):7.527637866910958
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:5o6Tq9rs5h44TUqVNqN3GKzdbev69idFqDTbadS5MKu/ECETpBMYakMg4wNTp8bz:5toqIJbev69+F2TWMMKuy1BMcC+T5y
                                                                                                  MD5:536690BCFAB9B5B4297DA06C8496FC39
                                                                                                  SHA1:C06CA3BD6BA1E64204C365FAC8711857607B4548
                                                                                                  SHA-256:5513B0B8D845FD51515FEDA7F60F3D12DC1F74537B119B95D135E00EFDFC7A33
                                                                                                  SHA-512:8553F3BA306CA3AA63D85DB5BDDE703C6C9D5D802D8AFEA076DA35B90E622DBF497C293821933497066E3E030CF7A0D5A88385D6A7677442C9BF278AC232D9E6
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0..........0.....+.....0......0...0......h7..;._....a{..e.NB..20240815203656Z0s0q0I0...+.........]....^Idk...NG.X....h7..;._....a{..e.NB...(I.x...#...R....20240815202102Z....20240822192102Z0...*.H...............O..=..{....).n.+.;....mT..5T..P9TT:...K.<.e...Gn._.0...k,L.=J..A..'.{u.We.....{.....A".04..t._].~.8.......j....9LQB.c.s......h6...P,..2}g.N.Q ..j....4.......b/.0.8..p.t. ....:.r.c...v(....4...9......8Y".6.R...gL...D.8.lz>Lh..L.....<"..:.....U.9.-..F.a.|.^.i........HhN..2.F.2./.k...y...G(jC..LZm........kBL.36.....)..m...`1..".Q..H.C.[....T.+..=.}v/..c4..=.Edl'.9..g.Ky`..\..C.5D..W..).......R...`....d;....3*......>...zw...D.3;.@7.Z.E..->c.~ .q...6..m&hf...k-...)...>v.<....D....2..5.hN...

                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Certificate, Version=3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1716
                                                                                                  Entropy (8bit):7.596259519827648
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
                                                                                                  MD5:D91299E84355CD8D5A86795A0118B6E9
                                                                                                  SHA1:7B0F360B775F76C94A12CA48445AA2D2A875701C
                                                                                                  SHA-256:46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
                                                                                                  SHA-512:6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.|f..x8E0.O.cOL....SA|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/

                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):727
                                                                                                  Entropy (8bit):7.508162904700955
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:5onfZUc5RlRtBfQOZsrjws7inDUyv51n0DFI/h9+8ardMZU8d3E/EIAWfrICL:5iacdZBZyD72IyvXnOy5swLXIA9w
                                                                                                  MD5:B7CFA31D5EFB459828830014089F2CA3
                                                                                                  SHA1:CE3B91AC5438B6E854957C1CF85B25DAC1BFDC94
                                                                                                  SHA-256:DA02CC671551D43B5CDC371550204E3919B4AAB80F55829312CE7322EAFA2AD9
                                                                                                  SHA-512:49B78258D8AC521B3A4A2405AC590F44FFCA0FCDEB97507C73DF13909EC274F22A1E691258BD41A491F5BBF92CF5D1DA2783374624A5B12CB071D837D178FC22
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0..........0.....+.....0......0...0..........q]dL..g?....O..20240814184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20240814184215Z....20240821184215Z0...*.H................4......W&.m.F'....m91>H.y?.....1%..d#.M5..$.'..z.I_d..".YI.G.".w.0......{c.D.u.W.....0HR.03s....I....5iD...w.J`...=..bf.".wa...%.T..}u....(B.V....s{I_*....A..B..I(..}:.2...%<..ne.o.bw..b],.t..j3......{.$.9^8..^'Ss'..`.... ...P. 1~...........I....O...V.......a......P.:..Z.=..5..+=@Uc.-....1.+.l...Y.+q.M....R4.!.3..)..A.sM...h..3eq.Oc&......."..>t*n.).F|4......=T.{.(.!b]...^..F...........?.....P.R..m.<.A."!G.M. ])....ApVD...R......_.)Q........H...P.D..*.P....d{B1..........R@....w......

                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Certificate, Version=3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1428
                                                                                                  Entropy (8bit):7.688784034406474
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
                                                                                                  MD5:78F2FCAA601F2FB4EBC937BA532E7549
                                                                                                  SHA1:DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
                                                                                                  SHA-256:552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
                                                                                                  SHA-512:BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0...0..x..........W..!2.9...wu\0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0...*.H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...s*n..|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0...*.H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1A374813EDB1A6631387E414D3E73232

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):306
                                                                                                  Entropy (8bit):3.233147537391008
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:kKv/EkwAiAUSW0P3PeXJUwh8lmi3QIoFG/:n/ECixSW0P3PeXJUZQG/
                                                                                                  MD5:310EAD47EF4401347562EA06AB5CD5E4
                                                                                                  SHA1:6B17101CA0FAA0386E0A14175F51BC0D37015D51
                                                                                                  SHA-256:B18639F9DD347CDD0FFDCF8B0945BE572F70D4C620D872E497CE47E5CA61D4D3
                                                                                                  SHA-512:40B781F2CEB5E5FB80C9EF76B53D0E0E5299584C9399E7FEBEDFBAC449FEBAFA30850D664A808964E1D6A041B7938489AD2F545E0D3DCAC26E0362FA0FE9877E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:p...... .........#.gc...(....................................................... .........~&.... ..."...............h.t.t.p.:././.c.r.l.3...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.l...".6.6.b.d.f.f.5.c.-.1.8.7.8.c."...

                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\329B6147266C1E26CD774EA22B79EC2E

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):306
                                                                                                  Entropy (8bit):3.225009547209069
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:kK/lkwAUOAUSW0P3PeXJUwh8lmi3QIoFG/:XlCDxSW0P3PeXJUZQG/
                                                                                                  MD5:942626F61D795B60D7DF92A0A16E91B6
                                                                                                  SHA1:30761E80680EECD601B21786AE39D1F0B0A1F8CE
                                                                                                  SHA-256:1C993394836E728E704F5609624EB4428B7875BC3C253E07C7CE7C79861C03F4
                                                                                                  SHA-512:05C8CD7C603B74116754E57ED20C6EFF659A82B2BED29F5EC9E5CA25AC8BB65175A649DC71865BE07DC820B4B42079416AB9EABC02F39CD088CE99C7E70F34FF
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:p...... .........."gc...(....................................................... .........~&.... ..."...............h.t.t.p.:././.c.r.l.4...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.l...".6.6.b.d.f.f.5.c.-.1.8.7.8.c."...

                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):400
                                                                                                  Entropy (8bit):4.010204809705057
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:kKO9zJtgunXlRNfOAUMivhClroFzCJCgO3lwuqDnlyQ4hY5isIlQhZgJn:2tjNmxMiv8sFzD3quqDkPh8Y2ZM
                                                                                                  MD5:B06F8E5EA039831B1E01339C77A496DB
                                                                                                  SHA1:2FEE04F3BFFA499791C32FAAB3D46E2B6C8DC94E
                                                                                                  SHA-256:52A9D1C0CB3AC0F52109D7DDD24CF8D28177D86C264825C154D049503E310E48
                                                                                                  SHA-512:5A000ACC0B13E15A26050307E98F56D145FCCA49EE7603774ECAE0A9A2B22B060F1B381087777752E8EACC99FA6DE5E6A07D26390CB9281DF2A126E2BD79C5EA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:p...... ...........Bc...(................j.;k......d.......................d.... .........^zX... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.3.x.L.4.L.Q.L.X.D.R.D.M.9.P.6.6.5.T.W.4.4.2.v.r.s.U.Q.Q.U.R.e.u.i.r.%.2.F.S.S.y.4.I.x.L.V.G.L.p.6.c.h.n.f.N.t.y.A.8.C.E.A.6.b.G.I.7.5.0.C.3.n.7.9.t.Q.4.g.h.A.G.F.o.%.3.D...

                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):404
                                                                                                  Entropy (8bit):3.918869366315747
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:kK38PHlXd8s6OfOAUMivhClroFHXHDZA6liyZlSlMul0bg3PWovy28lhl+KscSi8:8FXHhmxMiv8sF3HtllJZIvOP205scn8
                                                                                                  MD5:700CB4E4ED156D4EDA69EAB08769B6D8
                                                                                                  SHA1:A61938FEC8896C58A6689EE7C3B2F6C9BD31F9F4
                                                                                                  SHA-256:C7326E7F53B00FB0B3E23394AD6DDB634490C39B3084B99BB0CDF2880A7476F0
                                                                                                  SHA-512:0437170BCA9D6DFDE9103FDA32467C419B1B7A55311E45E36A453D6F221CB5190881EC9048E1F15DA5C9AFA02F6904AD9B37D6FBF3BFD6279552C35FA056A410
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:p...... .... ...c(.fc...(..................P......l.......................l.... ...........Y... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.S.R.X.e.r.F.0.e.F.e.S.W.R.r.i.p.T.g.T.k.c.J.W.M.m.7.i.Q.Q.U.a.D.f.g.6.7.Y.7.%.2.B.F.8.R.h.v.v.%.2.B.Y.X.s.I.i.G.X.0.T.k.I.C.E.A.o.o.S.Z.l.4.5.Y.m.N.9.A.o.j.j.r.i.l.U.u.g.%.3.D...

                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):308
                                                                                                  Entropy (8bit):3.215595374195135
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:kKaVzNcalgRAOAUSW0P3PeXJUwh8lmi3Y:yItWOxSW0P3PeXJUZY
                                                                                                  MD5:3D2234E0BEC636DEB5D167EE45DE08B5
                                                                                                  SHA1:D1A23CE6F106C3D8651F890D411AA54AAA0A1AD4
                                                                                                  SHA-256:DBA9145BD8319B789614D346481257BB37A37CB78A599974FBD3ECDA325EC367
                                                                                                  SHA-512:836009EFE1FEA3414D59E44AF9E786D17413AD7304FE687F8C43DF17F113170A981C4AB97BE3EFE2E73FB82E0278D718E688F3EEFA3F79460BF60A8B71C63DD9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:p...... ..........Nh...(....................................................... ........}.-@@......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...

                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):412
                                                                                                  Entropy (8bit):3.971057170133289
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:hQ7zSI/kmxMiv8sFBSfamB3rbFURMOlAkr:hEzS4kmxxv7Sf13rbQJr
                                                                                                  MD5:50DBC4A821FB28EEED35CD4A7812F014
                                                                                                  SHA1:B6ABDF93CE48CB9288984C6772399A35F58D9DFD
                                                                                                  SHA-256:9B0A44EF21F6BECBB5546CE8F816345EDB591294D4362F4D9FE1290514E17BDA
                                                                                                  SHA-512:FC784B57E164010AE080D72D8ECF461A70704C4CE366E57A669AAD5BC796ADC9A0D87D5C3CCA7FABE7BC1ECB7F589B241FDA18EC012C29E42C365C8ED77DCA07
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:p...... ....(....Tc...(..................y................................... ........[.xX... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):254
                                                                                                  Entropy (8bit):3.0528988669712285
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:kKfgLDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:wLYS4tWOxSW0PAMsZp
                                                                                                  MD5:31148B7207EB5ABCE0403B72AB353685
                                                                                                  SHA1:A3BB871CB5FBDBDA1B077E3CAB656F7D6297A5ED
                                                                                                  SHA-256:B779B7C7E889E7FF3F03FCE8D8382C5D3ACC8EF67AB19218AB38052C124AEF53
                                                                                                  SHA-512:4CF923B06995FFE9B1BF0F7A8543C3F1471333B382D235C13B8A3794F85439F88E41F6F8639A4C98C1FF19DB94BCE0B6ED82FCDF145159D5FDC5318E2A8EC470
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:p...... ....l....D.vh...(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

                                                                                                  C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                  File Type:CSV text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1944
                                                                                                  Entropy (8bit):5.343420056309075
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:MxHKQg8mHDp684YHKGSI6oPtHTHhAHKKkhHNpaHKlT44HKmHKe60:iqzCYqGSI6oPtzHeqKkhtpaqZ44qmq10
                                                                                                  MD5:437E4DCFC04CB727093C5232EA15F856
                                                                                                  SHA1:81B949390201F3B70AE2375518A0FFD329310837
                                                                                                  SHA-256:5EADB9774A50B6AD20D588FDA58F5A42B2E257A0AA26832B41F8EA008C1EB96B
                                                                                                  SHA-512:0332C7E5205CF9221172473A841284487ACC111780A58557231FCDE72A5EDB7E7E3EF6C87AB9682A688BC24992A74027F930267B541039BD8757EEF4E2F51A0E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.

                                                                                                  C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1983
                                                                                                  Entropy (8bit):5.345248756179348
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKksHVsHT6HNHOHKCHKlT40HKe60:iqbYqGSI6oPtzHeqKks1sz6tuqCqZ40T
                                                                                                  MD5:F974F0FCD981AC0581C5498C0155EF91
                                                                                                  SHA1:0CF6D5F41937B296EF9D37FC90E56EC8458B96DF
                                                                                                  SHA-256:500B63AEC50B89EF4CEC9ED49E53D168CDC35D235CB416B84234D3E45F3AC365
                                                                                                  SHA-512:1484917CC2A8E88DD4010FEE60394BD974D5C44ED0482DAD64B06A319E1F7E414321B8BDB06C6DE70152CFEA887BBDEFD2F2689C077251E8D2BBC9448FBF8719
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Runtime, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runtime\2702

                                                                                                  C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:modified
                                                                                                  Size (bytes):3043
                                                                                                  Entropy (8bit):5.361093730986187
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKk9HVsHUHhHKe6PfHKWA1eXrHKlT4d6HNHGHPmHKm:iqbYqGSI6oPtzHeqKk91s0Bq13qhA7qp
                                                                                                  MD5:7FBB3BC293626F02EEE5D12A2FC44FE7
                                                                                                  SHA1:A736DE9B60CEC25864AE995EF046F3F317B5D1AC
                                                                                                  SHA-256:B6ED7FB8E1D3A5AB9858099700CDA16766D6F442587CD6F965815CF8AFC1444D
                                                                                                  SHA-512:C175AF1525508EEA8DEAE8BE67E4780922492B3D01ACDB36B43220DE5B57898F10558F80C5D6218B61A236D35C41047527C6AD00770F477E23507AAEA7EF2000
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Net.Http\f4

                                                                                                  C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSystemTools.exe.log

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe
                                                                                                  File Type:CSV text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1499
                                                                                                  Entropy (8bit):5.341844552740347
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNWE4KXSE4KlOU4mXE4Ke60:MxHKQwYHKGSI6oPtHTHhAHKKkWHKCHKl
                                                                                                  MD5:D45F0B0387AA9450CC88125F2428C26D
                                                                                                  SHA1:8C77259A299BF2FB7A66EC695A3F0EFA5154DCB6
                                                                                                  SHA-256:6A6DF19288C76B1CEDD0F507F226705CDE6A69F3AB59B4FC13AF5C7B7F7D12A3
                                                                                                  SHA-512:5523AD8087ECE039FFFEF746F9B6175D6C2F2523C372FC813D21E695C18D986432D2B83C23D0E6CD6C42C97DFC8DECE3121BE8907D05337EA9B282D3E947EF4F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Numerics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ce

                                                                                                  C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                  File Type:CSV text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1075
                                                                                                  Entropy (8bit):5.353521172341231
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNa8mE4Dp689:MxHKQwYHKGSI6oPtHTHhAHKKka8mHDpN
                                                                                                  MD5:BDADAD127D5A6079C29C0C870A5C3C2C
                                                                                                  SHA1:AD5D30886AE959F271CF777D386A31CD792C9A64
                                                                                                  SHA-256:7186B9EAC66BD83E5E1C050D81529BC68511538118E65019EBECFD952C22FD55
                                                                                                  SHA-512:198087F52C39A32ACE7A90E9212C2AA0F31EDF8349773C8C6C5495CA82C890F9A8A44356AC5AEBB42F3342E6BE981DC4BCFE1D7FB43760745D7240A117257725
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv7

                                                                                                  C:\Windows\Temp\AteraSetupLog.txt

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (319), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):227784
                                                                                                  Entropy (8bit):3.7904990560879175
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:jZM6f8sbp/109zYMdV9iFe+x3pwMfxpRrJKuZh9c+pWyRd1hpWbgXQZYNsXrpjfL:jygjCn8OlGujjPRtWnVB1XE8Qb
                                                                                                  MD5:356FFC6EF3394D1702C63766F9C40277
                                                                                                  SHA1:CFCA43256ED81708FCE1881602469A6597C184CF
                                                                                                  SHA-256:C452FBFD7BF5D5193EFFF7E7998A63CA7EF56F04D3E87AF08F3905EE24451C00
                                                                                                  SHA-512:DCA672B9D5F1894C865C19CBB7B743E8D62927D5E5A5646DD5270D24D3D26E6F55E7876B1D5976F9D85CDDF898969D32A41585D447EA142D4C25F713148A36EC
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\AteraSetupLog.txt, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .1.5./.0.8./.2.0.2.4. . .1.8.:.3.5.:.0.8. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.0.0.:.0.C.). .[.1.8.:.3.5.:.0.8.:.9.0.8.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.0.0.:.0.C.). .[.1.8.:.3.5.:.0.8.:.9.0.8.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.0.0.:.0.C.). .[.1.8.:.3.5.:.0.8.:.9.0.8.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.W.i.n.d.o.w.s.\.T.E.M.P.\.a.t.e.r.a.A.g.e.n.t.S.e.t.u.p.6.4._.1._.8._.7._.2...m.s.i..... . . . . . . . . . . .*.*.*.*.*.*.*. .A.c.t.i.o.n.:. ..... . . . . . . . . . . .*.*.*.*.*.*.*. .C.o.m.m.a.n.d.L.i.n.e.:. .*.*.*.*.*.*.*.*.*.*.....M.S.I. .(.c.). .(.0.0.:.0.C.). .[.1.8.:.3.5.:.

                                                                                                  C:\Windows\Temp\SplashtopStreamer.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):52853928
                                                                                                  Entropy (8bit):7.941280777334469
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:786432:iTVOuIdnXeYOf9QBOgMqoaen728gEb4dIgEdj8SmIqm50muEs:AVO+4bvXQ/mo50mhs
                                                                                                  MD5:7C4902773A19057DA00AA30C3D2EF267
                                                                                                  SHA1:175A455382D44852C57248C1F504EA056D514226
                                                                                                  SHA-256:E3F7DD9B306C06C128178B13FF641637CD50722BC92D38E368157FDE94470A58
                                                                                                  SHA-512:6A09E4DC54FE0B696EC46B7A47523DE4A951009AE527825D32D6828925C02B3EF0A629C97A0044812A4EC31C44E0E11E7D5FEFEDDD2883AD9842BAB9AE6347CA
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........{.}.(.}.(.}.(..8(.}.(.}.(...(..>(.}.(..((w}.(../(N}.(..!(.}.(..?(.}.(..:(.}.(Rich.}.(........PE..L...3..f............................./............@...................................&.....................................h........ ..(............T&..(..........`................................h..@...................$........................text............................... ..`.rdata..............................@..@.data....^......."..................@....rsrc...(.... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\ateraAgentSetup64_1_8_7_2.msi

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2994176
                                                                                                  Entropy (8bit):7.878630966889847
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                  MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                  SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                  SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                  SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF075EA06EF99F2CB5.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF09DBAC855D9F7C25.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):147456
                                                                                                  Entropy (8bit):3.095430202233436
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:MJxrz6zFooEd6QFo7KjJUFJ9yQscVU0r/w0az6zFooEd6QFo7KjJUFJ9yQscVU0j:ur2zOhUm44Qdx7a2zOhUm44Qdx
                                                                                                  MD5:C71FA846D32A15ED28A8FEA65DB5AEDB
                                                                                                  SHA1:D86178D064EC6B131D2A0C58442BBD7665BCC5EA
                                                                                                  SHA-256:96718564BE8D12B46B27D9A4ABA2B37BE6DF7DAB3B1EC826FE61C56F36DD2663
                                                                                                  SHA-512:1F69B55922F0446BFF293AFB971922A685A4AB3BB58FB9EBE400232AF8F7FFF3DAB9BB509C7946F25CA66207131DD076BADA6A0D45A39E537662678BC7F969D8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF0C436C6200CCF80E.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF0EB1628D61CA1BA7.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF112BA05041C64409.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):69632
                                                                                                  Entropy (8bit):0.1304166598345428
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:CnAipVfedGSadGS7qIipVGedGSadGSfEqasJG9WTZkF+GqM+n:CnAStedGPdGeqISoedGPdGTIE3v
                                                                                                  MD5:BAF326647B62DBA95DA1B531CDA0C71C
                                                                                                  SHA1:BF90C1D6F3D2AAB6B124C3F85C20BF47CF771ADD
                                                                                                  SHA-256:A4998D8069CD19D77F07CF54C9F723718F80965C54157C0ED0BE37904EF01293
                                                                                                  SHA-512:766E7C1813DFB99C7E81F1D235AAC51A1E772DEB23D377633893EA5055D8C5B49EE46A455EC97D3B76377F3CB1AF64BA777DB7E640CAA55858AAF0ACC04B29DB
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF112BA05041C64409.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF129758EBB1CE1B55.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):1.266204957463367
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:j1RcuEBM+xFX4RT5ZHxbnwqISoedGPdGfbre7eStedGPdGRubBn:j/cZSTl1IHioF
                                                                                                  MD5:657E79B248BE1A758B108B1B7569B6CD
                                                                                                  SHA1:78FB78A26DDAFFAC584381EA7BB190E02B5E4619
                                                                                                  SHA-256:305484D30297C5CACD2E36B81B6D4224AF854F3D31B6A2DE3136FEA0AB30B366
                                                                                                  SHA-512:9F4C9F25EBB109D6945FE2AE5286ADE8E9C460DD76E38122C55AD062873989C29C4A9F3C5A880FE3278CECD625F3FB6C4AC95F3A002CB0D3D4B55E51AA73FF9A
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF129758EBB1CE1B55.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF1C99883C032D863A.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):1.266204957463367
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:j1RcuEBM+xFX4RT5ZHxbnwqISoedGPdGfbre7eStedGPdGRubBn:j/cZSTl1IHioF
                                                                                                  MD5:657E79B248BE1A758B108B1B7569B6CD
                                                                                                  SHA1:78FB78A26DDAFFAC584381EA7BB190E02B5E4619
                                                                                                  SHA-256:305484D30297C5CACD2E36B81B6D4224AF854F3D31B6A2DE3136FEA0AB30B366
                                                                                                  SHA-512:9F4C9F25EBB109D6945FE2AE5286ADE8E9C460DD76E38122C55AD062873989C29C4A9F3C5A880FE3278CECD625F3FB6C4AC95F3A002CB0D3D4B55E51AA73FF9A
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF1C99883C032D863A.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF1D80CA88D12C69B1.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF2775F918103C8512.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):0.077966497703753
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO1LtCmOuPrfkiVky6l51:2F0i8n0itFzDHFzTPrfWr
                                                                                                  MD5:785EA75A2FB1DB6D9155B28A1291DAF3
                                                                                                  SHA1:6B86F7E077D0A8823383FBB776313FEDB17BFDEA
                                                                                                  SHA-256:BCD727E77C067BD5A31C13E8024F00ED60381D9AB725CAE2E6777A5708C9DDE0
                                                                                                  SHA-512:1834BBF627951711C96708EE7AA4B6C069055E832C717561DC77592E68EFB93E65FE825A5D3D13859057C93BE96CC12701D725491C4CFC49A4EE4FD40942E72A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF303EEC30C4652B43.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):49152
                                                                                                  Entropy (8bit):1.0005574478555426
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:jNeMMXukPveFXJ5T5pGDWqISoedvPdvbCnuhnq90nAdStedvPdvxubS:jNuXUhTnGDDIciuBu0u4
                                                                                                  MD5:3EF7311E12ADDF2EC7AA663E055C1F51
                                                                                                  SHA1:A1434296376278BE104ACD1C15F672BFCC94F8E2
                                                                                                  SHA-256:594E552B2018F5A56BB15A417331B323571F7E8A1DF9E64BDE92440A189C8402
                                                                                                  SHA-512:8E7E2AAB451E4E7E4C72FED93F6B7AF6F2AD74156891F0061FC293602E22E2A0D0C13DF81F00CFF8B73B231E51B56D967E3D574D92AF518D07DDC59308362E85
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF303EEC30C4652B43.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF3DDD1D0A84E37866.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):147456
                                                                                                  Entropy (8bit):3.095430202233436
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:MJxrz6zFooEd6QFo7KjJUFJ9yQscVU0r/w0az6zFooEd6QFo7KjJUFJ9yQscVU0j:ur2zOhUm44Qdx7a2zOhUm44Qdx
                                                                                                  MD5:C71FA846D32A15ED28A8FEA65DB5AEDB
                                                                                                  SHA1:D86178D064EC6B131D2A0C58442BBD7665BCC5EA
                                                                                                  SHA-256:96718564BE8D12B46B27D9A4ABA2B37BE6DF7DAB3B1EC826FE61C56F36DD2663
                                                                                                  SHA-512:1F69B55922F0446BFF293AFB971922A685A4AB3BB58FB9EBE400232AF8F7FFF3DAB9BB509C7946F25CA66207131DD076BADA6A0D45A39E537662678BC7F969D8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF449DAD0E18A4D353.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):69632
                                                                                                  Entropy (8bit):0.16329696176034847
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:TEubmStedvPdv+qISoedvPdvbCnuhnq90nAmu:hybIciuBu0ju
                                                                                                  MD5:A49EEBE06436C541363D33221C907BD9
                                                                                                  SHA1:F019E81AB7A8C1EA0282696B137CF9EC2BB27F4F
                                                                                                  SHA-256:61F5B33D1BB8E168DBD0E3BFC1A35DD3A0F918847ECD526537EFAE4C1BE05BDC
                                                                                                  SHA-512:CF72483752BD6694CD4B644A23F9D6EFEE9D95C2058ADEF5F4B8941C98035F0E12693ED63E55E1C8C471E177535622EE083F05B3089FE312D47441B1AD833F5A
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF449DAD0E18A4D353.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF4EFE6F6754ABCA4D.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):49152
                                                                                                  Entropy (8bit):1.0005574478555426
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:jNeMMXukPveFXJ5T5pGDWqISoedvPdvbCnuhnq90nAdStedvPdvxubS:jNuXUhTnGDDIciuBu0u4
                                                                                                  MD5:3EF7311E12ADDF2EC7AA663E055C1F51
                                                                                                  SHA1:A1434296376278BE104ACD1C15F672BFCC94F8E2
                                                                                                  SHA-256:594E552B2018F5A56BB15A417331B323571F7E8A1DF9E64BDE92440A189C8402
                                                                                                  SHA-512:8E7E2AAB451E4E7E4C72FED93F6B7AF6F2AD74156891F0061FC293602E22E2A0D0C13DF81F00CFF8B73B231E51B56D967E3D574D92AF518D07DDC59308362E85
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF4EFE6F6754ABCA4D.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF58BA161701D55A67.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF60646CA23E02F660.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF6FADDA825D7CAE6B.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF7BA34C1BE4D8280E.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):1.221418233693186
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:Ms8PhcuRc06WXJEFT5AD3tqISoedGPdGTIaStedGPdGTn:MDhc1HFT+D3wIAD
                                                                                                  MD5:678C4E44B12EFF0CCA62B57E194995DD
                                                                                                  SHA1:E630A95C4E1B4C25EE8E519089F79873593173F3
                                                                                                  SHA-256:E173C88C19688520B379E15222BC9A77B74E8328FE1AE49D35BCECBF567F6AFC
                                                                                                  SHA-512:D7A9EE74601737860CA856B212B7B33937234C9895BA66627409F4702F8F924D195936501D0C4CD66D10E24C116CD7DC27665027AEB4955523B738EEF3DFC6BB
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF7BA34C1BE4D8280E.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF827FD8DCE6FCC37C.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20480
                                                                                                  Entropy (8bit):1.619771282865131
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:7a8PhPuRc06WXJEFT5QDWqISoedvPdvbCnuhnq90nAdStedvPdvxubS:7lhP1HFTODDIciuBu0u4
                                                                                                  MD5:D2B0A17790A4DBB93A628B8D91CB82F8
                                                                                                  SHA1:AF5EBB92965DB3794767AFE19B3AB67D212EC917
                                                                                                  SHA-256:3BE5470F3E4F0C7C9C17EDA9B180AA966EF59402AEB96DA5662EE264A0BD5360
                                                                                                  SHA-512:D86691D418BA5952EE11F89F21B0CC8D1CECC20BC99372680BC809530D7241B7B3B5C36375A5B6F3687B32A4A00D17F0737E18B4547DFE7E17B2F2A568B886E1
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF827FD8DCE6FCC37C.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF85AD9655A5446BF0.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF8B337B80741DE79D.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF8FDD460FFDACBAD6.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20480
                                                                                                  Entropy (8bit):1.5833154387059762
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:+L8PhUuRc06WX4inT5xHxbnwqISoedGPdGfbre7eStedGPdGRubBn:+yhU1ynT91IHioF
                                                                                                  MD5:646A48D143B66C7F945CF172C3476A0B
                                                                                                  SHA1:68D91EA6A00D58BF24912CCC8FD26F65E18DB628
                                                                                                  SHA-256:84D6D2B7C0E6EAF92FD786AB06BFE0DC7EF336184E6F8DFBB114BC1F3F88F714
                                                                                                  SHA-512:D321109954563F980ABE9D945C9B5F76D1E73ED381ABB3FF6B264769350EC5E3B998F28471D36F15F4FB7882523AD9BC9BACE4EA0B0EA10B582A28504BCCE665
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF8FDD460FFDACBAD6.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF94598BD16C89ED3C.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):1.230521566682456
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:KmVUuKPveFXJ5T5cD3tqISoedGPdGTIaStedGPdGTn:KaUGhT6D3wIAD
                                                                                                  MD5:06633C327C60A4D672E1C10D3E3567C1
                                                                                                  SHA1:A95AEAB42AB79E2820F9EBAC171971F14D53F428
                                                                                                  SHA-256:C6FFD7A41F6089BF1F8B853DD6EEE4DD0F1CE02AE501BA9F3E2B26E8BAD5BA8E
                                                                                                  SHA-512:8682D6545AEA01BCDFFAA39D0E1D4BE23D329D100566ABD56134D828CF7267651D059DFA8D1A96AD423C8C8478D74BC01221B24B248A4176CBDDD8C5723DEDA0
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF94598BD16C89ED3C.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF94C5DC88A7DDB643.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFA999AE3841A6AA3E.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFB02F1B0FFB498DCC.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFBA6E6E265CA44D9A.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFC01ED06FF658DD47.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):0.08799036720864634
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO12sd57+iQPMT8AVky6le:2F0i8n0itFzDHF12sb+iQaGe
                                                                                                  MD5:E2F958C9203D627715418890B27C9DF4
                                                                                                  SHA1:A91B81F9D1CC3D9C2A024F388A7322696667A3E7
                                                                                                  SHA-256:8D7A13E2A4880838E71554A3E4B18751CBDF5D07E73EC32244818DDF154554F2
                                                                                                  SHA-512:66E59115C601357A872F0DD010C74D53A8D9B965EFDE7BA34D45FCAA590CE13092956DAA7F300F88BC9A031C5E07013A9FF7A455F09478A4EB2D7D0C449E4AD9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFC513253168A2AFE2.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFC8140AAE6423030D.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20480
                                                                                                  Entropy (8bit):1.5833154387059762
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:+L8PhUuRc06WX4inT5xHxbnwqISoedGPdGfbre7eStedGPdGRubBn:+yhU1ynT91IHioF
                                                                                                  MD5:646A48D143B66C7F945CF172C3476A0B
                                                                                                  SHA1:68D91EA6A00D58BF24912CCC8FD26F65E18DB628
                                                                                                  SHA-256:84D6D2B7C0E6EAF92FD786AB06BFE0DC7EF336184E6F8DFBB114BC1F3F88F714
                                                                                                  SHA-512:D321109954563F980ABE9D945C9B5F76D1E73ED381ABB3FF6B264769350EC5E3B998F28471D36F15F4FB7882523AD9BC9BACE4EA0B0EA10B582A28504BCCE665
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFC8140AAE6423030D.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFCA8BC26715A0D8E1.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):1.266204957463367
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:j1RcuEBM+xFX4RT5ZHxbnwqISoedGPdGfbre7eStedGPdGRubBn:j/cZSTl1IHioF
                                                                                                  MD5:657E79B248BE1A758B108B1B7569B6CD
                                                                                                  SHA1:78FB78A26DDAFFAC584381EA7BB190E02B5E4619
                                                                                                  SHA-256:305484D30297C5CACD2E36B81B6D4224AF854F3D31B6A2DE3136FEA0AB30B366
                                                                                                  SHA-512:9F4C9F25EBB109D6945FE2AE5286ADE8E9C460DD76E38122C55AD062873989C29C4A9F3C5A880FE3278CECD625F3FB6C4AC95F3A002CB0D3D4B55E51AA73FF9A
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFCA8BC26715A0D8E1.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFDA9F148306AEE887.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):69632
                                                                                                  Entropy (8bit):0.1505707191940058
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:CnxubmStedGPdGeqISoedGPdGfbre7/IHxb:i4yLIHj
                                                                                                  MD5:69967F8CA2C323F0DB5249B3D1AE29E6
                                                                                                  SHA1:05B4F863D52515F58FCCF51A9F23E93B29B257A7
                                                                                                  SHA-256:C9F2AEDB5063F3AB9FA5C69E79EA9CB9C8173D195517BF233791104CC540DFC3
                                                                                                  SHA-512:4EEC3B73CAEDB8CA6C3E7C7785859940F6B5377FCB0BEC50E60E281ACF11D3A7072699822F2C12E24A680A601DCBCA0BD53CF96A3E1ACAD8187F4DABED85166B
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFDA9F148306AEE887.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFDDD9035827319F9F.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFEE1126AA4CE3F93F.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFF063B7B45E273BCF.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):1.230521566682456
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:KmVUuKPveFXJ5T5cD3tqISoedGPdGTIaStedGPdGTn:KaUGhT6D3wIAD
                                                                                                  MD5:06633C327C60A4D672E1C10D3E3567C1
                                                                                                  SHA1:A95AEAB42AB79E2820F9EBAC171971F14D53F428
                                                                                                  SHA-256:C6FFD7A41F6089BF1F8B853DD6EEE4DD0F1CE02AE501BA9F3E2B26E8BAD5BA8E
                                                                                                  SHA-512:8682D6545AEA01BCDFFAA39D0E1D4BE23D329D100566ABD56134D828CF7267651D059DFA8D1A96AD423C8C8478D74BC01221B24B248A4176CBDDD8C5723DEDA0
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFF063B7B45E273BCF.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFF2E15018D2532D6D.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20480
                                                                                                  Entropy (8bit):1.619771282865131
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:7a8PhPuRc06WXJEFT5QDWqISoedvPdvbCnuhnq90nAdStedvPdvxubS:7lhP1HFTODDIciuBu0u4
                                                                                                  MD5:D2B0A17790A4DBB93A628B8D91CB82F8
                                                                                                  SHA1:AF5EBB92965DB3794767AFE19B3AB67D212EC917
                                                                                                  SHA-256:3BE5470F3E4F0C7C9C17EDA9B180AA966EF59402AEB96DA5662EE264A0BD5360
                                                                                                  SHA-512:D86691D418BA5952EE11F89F21B0CC8D1CECC20BC99372680BC809530D7241B7B3B5C36375A5B6F3687B32A4A00D17F0737E18B4547DFE7E17B2F2A568B886E1
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFF2E15018D2532D6D.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFF5947AD2E8A3E7FB.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFF71A8BC38C0345C5.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):49152
                                                                                                  Entropy (8bit):1.0005574478555426
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:jNeMMXukPveFXJ5T5pGDWqISoedvPdvbCnuhnq90nAdStedvPdvxubS:jNuXUhTnGDDIciuBu0u4
                                                                                                  MD5:3EF7311E12ADDF2EC7AA663E055C1F51
                                                                                                  SHA1:A1434296376278BE104ACD1C15F672BFCC94F8E2
                                                                                                  SHA-256:594E552B2018F5A56BB15A417331B323571F7E8A1DF9E64BDE92440A189C8402
                                                                                                  SHA-512:8E7E2AAB451E4E7E4C72FED93F6B7AF6F2AD74156891F0061FC293602E22E2A0D0C13DF81F00CFF8B73B231E51B56D967E3D574D92AF518D07DDC59308362E85
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFF71A8BC38C0345C5.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFFA4F8913DFF0E7C1.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):1.221418233693186
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:Ms8PhcuRc06WXJEFT5AD3tqISoedGPdGTIaStedGPdGTn:MDhc1HFT+D3wIAD
                                                                                                  MD5:678C4E44B12EFF0CCA62B57E194995DD
                                                                                                  SHA1:E630A95C4E1B4C25EE8E519089F79873593173F3
                                                                                                  SHA-256:E173C88C19688520B379E15222BC9A77B74E8328FE1AE49D35BCECBF567F6AFC
                                                                                                  SHA-512:D7A9EE74601737860CA856B212B7B33937234C9895BA66627409F4702F8F924D195936501D0C4CD66D10E24C116CD7DC27665027AEB4955523B738EEF3DFC6BB
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFFA4F8913DFF0E7C1.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFFAA548B795F06D7A.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):1.230521566682456
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:KmVUuKPveFXJ5T5cD3tqISoedGPdGTIaStedGPdGTn:KaUGhT6D3wIAD
                                                                                                  MD5:06633C327C60A4D672E1C10D3E3567C1
                                                                                                  SHA1:A95AEAB42AB79E2820F9EBAC171971F14D53F428
                                                                                                  SHA-256:C6FFD7A41F6089BF1F8B853DD6EEE4DD0F1CE02AE501BA9F3E2B26E8BAD5BA8E
                                                                                                  SHA-512:8682D6545AEA01BCDFFAA39D0E1D4BE23D329D100566ABD56134D828CF7267651D059DFA8D1A96AD423C8C8478D74BC01221B24B248A4176CBDDD8C5723DEDA0
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFFAA548B795F06D7A.TMP, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFFAA548B795F06D7A.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  \Device\ConDrv

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4
                                                                                                  Entropy (8bit):2.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Cy:Cy
                                                                                                  MD5:17C47928D1BA7ECB789EE3E4E7BB61A4
                                                                                                  SHA1:58836A68D7DA82082C676A5E1F5BC33F2A8CADF0
                                                                                                  SHA-256:42A3ABE36D8E5C5CB6123D9DA9ADB152C87AD6E08CB6327BB5405A8E297635E4
                                                                                                  SHA-512:EF35FF11C834B9F6696C0EB1FA3F32A3DAE4C304AB872E2A5357D539DDA15C3AC7BD618B5AE8628BCF42BC9B47AFE0C6796816318B2E10B8378EDAFD953EE336
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:52..

                                                                                                  Static File Info

                                                                                                  General

                                                                                                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                  Entropy (8bit):7.878676550924149
                                                                                                  TrID:
                                                                                                  • Microsoft Windows Installer (60509/1) 57.88%
                                                                                                  • ClickyMouse macro set (36024/1) 34.46%
                                                                                                  • Generic OLE2 / Multistream Compound File (8008/1) 7.66%
                                                                                                  File name:SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi
                                                                                                  File size:2'994'176 bytes
                                                                                                  MD5:acd50da7436621368061abc2ca6193fe
                                                                                                  SHA1:7c7a9109e7e576ca2975305867937f3575e8d749
                                                                                                  SHA256:2ba7c24b984423bda7b4982b3b6e230a6c0f2dae44b580c6f02d133e625fd3bb
                                                                                                  SHA512:cb35976890dc5f63cb8307d258cb3ff17feebd5d0a113e7091d08408c2842fbc34145ddf3fd4351fd9fe5187dd18906acccaa4c189199c688b405b7e3a005dab
                                                                                                  SSDEEP:49152:U+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:U+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                  TLSH:29D523127584483AE37B0A358D7AD6A05E7DFE605B70CA8E9308741E2E705C1AB76F73
                                                                                                  File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                  File Icon

                                                                                                  Icon Hash:2d2e3797b32b2b99

                                                                                                  Network Behavior

                                                                                                  Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                  Statistics

                                                                                                  CPU Usage

                                                                                                  Click to jump to process

                                                                                                  Memory Usage

                                                                                                  Click to jump to process

                                                                                                  High Level Behavior Distribution

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Behavior

                                                                                                  Click to jump to process

                                                                                                  System Behavior

                                                                                                  General

                                                                                                  Target ID:0
                                                                                                  Start time:18:34:06
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi"
                                                                                                  Imagebase:0x7ff75be00000
                                                                                                  File size:69'632 bytes
                                                                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:2
                                                                                                  Start time:18:34:06
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                  Imagebase:0x7ff75be00000
                                                                                                  File size:69'632 bytes
                                                                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:3
                                                                                                  Start time:18:34:07
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 181D1394CAAEB830AC973720F30550E5
                                                                                                  Imagebase:0x3c0000
                                                                                                  File size:59'904 bytes
                                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:4
                                                                                                  Start time:18:34:07
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:rundll32.exe "C:\Windows\Installer\MSI2299.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7152421 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                                                                                  Imagebase:0xec0000
                                                                                                  File size:61'440 bytes
                                                                                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000003.2163906663.0000000004FE3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:5
                                                                                                  Start time:18:34:08
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:rundll32.exe "C:\Windows\Installer\MSI2828.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7153750 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                                                                                  Imagebase:0xec0000
                                                                                                  File size:61'440 bytes
                                                                                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000002.2209595068.0000000004B11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000002.2209595068.0000000004BB4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000003.2177235883.00000000047AB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:6
                                                                                                  Start time:18:34:11
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:rundll32.exe "C:\Windows\Installer\MSI35E4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7157250 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                                                                                  Imagebase:0xec0000
                                                                                                  File size:61'440 bytes
                                                                                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000006.00000003.2212091771.000000000453B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:7
                                                                                                  Start time:18:34:12
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 39C8CCDE77C0A8431B675EA9C7DDE8CF E Global\MSI0000
                                                                                                  Imagebase:0x3c0000
                                                                                                  File size:59'904 bytes
                                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:8
                                                                                                  Start time:18:34:12
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\SysWOW64\net.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"NET" STOP AteraAgent
                                                                                                  Imagebase:0x8b0000
                                                                                                  File size:47'104 bytes
                                                                                                  MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:9
                                                                                                  Start time:18:34:12
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff66e660000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:10
                                                                                                  Start time:18:34:12
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\SysWOW64\net1.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\system32\net1 STOP AteraAgent
                                                                                                  Imagebase:0x4a0000
                                                                                                  File size:139'776 bytes
                                                                                                  MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:11
                                                                                                  Start time:18:34:12
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"TaskKill.exe" /f /im AteraAgent.exe
                                                                                                  Imagebase:0x210000
                                                                                                  File size:74'240 bytes
                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:moderate
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:12
                                                                                                  Start time:18:34:12
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff66e660000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:13
                                                                                                  Start time:18:34:13
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="apae.leticiarozanski@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000LJyPNIA1" /AgentId="b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1"
                                                                                                  Imagebase:0x1e7e5d10000
                                                                                                  File size:145'968 bytes
                                                                                                  MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2272647183.000001E7FFE97000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2272041127.000001E7E79AC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2272041127.000001E7E79D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2273752591.00007FFD342A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2271991809.000001E7E6170000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2272041127.000001E7E7A9C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2272041127.000001E7E79DA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2272041127.000001E7E7A52000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2272041127.000001E7E7A86000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2271356356.000001E7E5F53000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2271911673.000001E7E6150000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2271356356.000001E7E5F30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2272041127.000001E7E79A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000000.2226925972.000001E7E5D12000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2272041127.000001E7E7A55000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2271356356.000001E7E5F71000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2271356356.000001E7E5FBF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2272041127.000001E7E79D2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2272041127.000001E7E79E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2271356356.000001E7E5F5C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2272041127.000001E7E7921000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2272647183.000001E7FFDB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 14%, ReversingLabs
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:14
                                                                                                  Start time:18:34:17
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                  Imagebase:0x2c2ad900000
                                                                                                  File size:145'968 bytes
                                                                                                  MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2691250880.000002C2AE611000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2691250880.000002C2AE660000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2682984050.000000F0FD1C5000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2689025415.000002C2ADB74000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2691250880.000002C2AE4A8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2689025415.000002C2ADAB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2691250880.000002C2AE835000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2691250880.000002C2AE7FB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2691250880.000002C2AE6EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2691250880.000002C2AE274000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2689025415.000002C2ADB37000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2720587451.000002C2C6E7F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2720587451.000002C2C6F1E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2689025415.000002C2ADAF1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2691250880.000002C2AE466000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2691250880.000002C2AE587000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2691250880.000002C2AE1F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2731401170.000002C2C740F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2691250880.000002C2AE60E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2720587451.000002C2C6ECB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2691250880.000002C2AE584000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2691250880.000002C2AE546000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2691250880.000002C2AE2FC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2691250880.000002C2AE470000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2691250880.000002C2AE5D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2691250880.000002C2AE6A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2691250880.000002C2AE382000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2691043768.000002C2ADD80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2688947979.000002C2AD9B0000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2691250880.000002C2AE622000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2720587451.000002C2C6EA3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2727878966.000002C2C6FA6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2691250880.000002C2AE292000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2720587451.000002C2C6F3A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2716483231.000002C2C6AAC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2689025415.000002C2ADAED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2716483231.000002C2C6A0D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2691250880.000002C2AE932000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2691250880.000002C2AE69E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:15
                                                                                                  Start time:18:34:17
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\sc.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                  Imagebase:0x7ff734ef0000
                                                                                                  File size:72'192 bytes
                                                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:16
                                                                                                  Start time:18:34:17
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff66e660000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:17
                                                                                                  Start time:18:34:18
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:rundll32.exe "C:\Windows\Installer\MSI4EF0.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7163640 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                                                                                  Imagebase:0xec0000
                                                                                                  File size:61'440 bytes
                                                                                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000011.00000002.2319039819.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000011.00000003.2276609080.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000011.00000002.2319039819.0000000004F44000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:21
                                                                                                  Start time:18:34:26
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "8f7de333-83ca-4d02-94ef-1b8545d50f26" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LJyPNIA1
                                                                                                  Imagebase:0x1e1ae040000
                                                                                                  File size:176'176 bytes
                                                                                                  MD5 hash:ACCE8B17DE63299AA4D5CB7D709BEEDC
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2376731863.000001E1AE540000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2377140928.000001E1AEC83000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2376028304.000001E1AE1B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2376028304.000001E1AE1FD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000000.2354318537.000001E1AE042000.00000002.00000001.01000000.00000016.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2376028304.000001E1AE1D5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2376619271.000001E1AE4A2000.00000002.00000001.01000000.00000018.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2376028304.000001E1AE23E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2376028304.000001E1AE1F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2377140928.000001E1AEC73000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2377140928.000001E1AEC01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:22
                                                                                                  Start time:18:34:26
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff66e660000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:23
                                                                                                  Start time:18:34:26
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "313c2f49-e11b-4184-83f8-24833206108a" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LJyPNIA1
                                                                                                  Imagebase:0x14e16b80000
                                                                                                  File size:176'176 bytes
                                                                                                  MD5 hash:ACCE8B17DE63299AA4D5CB7D709BEEDC
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2380207514.0000014E17603000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2379896713.0000014E16EC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2380207514.0000014E1764F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2378892380.0000014E16C58000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2380207514.0000014E17591000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2378892380.0000014E16C8E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2378892380.0000014E16C50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2380207514.0000014E17613000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2380207514.0000014E175D7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2378892380.0000014E16C6B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2378892380.0000014E16C9A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2378892380.0000014E16CDA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2381295696.0000014E2FEBC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:24
                                                                                                  Start time:18:34:26
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff66e660000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:25
                                                                                                  Start time:18:34:29
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "f56981de-298d-4b18-9699-96fd97645b14" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000LJyPNIA1
                                                                                                  Imagebase:0x229e3730000
                                                                                                  File size:176'176 bytes
                                                                                                  MD5 hash:ACCE8B17DE63299AA4D5CB7D709BEEDC
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2390414349.00000229E40B3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2390284193.00000229E3C50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2389642590.00000229E3988000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2390414349.00000229E4031000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2389642590.00000229E399B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2389642590.00000229E3A0A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2389642590.00000229E3980000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2390414349.00000229E40A3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2389642590.00000229E39BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:26
                                                                                                  Start time:18:34:29
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff66e660000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:27
                                                                                                  Start time:18:34:29
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                  Imagebase:0x1f1c62f0000
                                                                                                  File size:145'968 bytes
                                                                                                  MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.3008930987.000001F1DF8CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.3008930987.000001F1DF840000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2878015481.000001F1C73CD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.3008930987.000001F1DF8C4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2878015481.000001F1C7115000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2869658928.0000000E78C34000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.3008930987.000001F1DF92E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2878015481.000001F1C765C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2878015481.000001F1C7133000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2866625463.0000000E778F4000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.3008930987.000001F1DF8AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2878015481.000001F1C7480000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2878015481.000001F1C768E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2878015481.000001F1C6BF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2876644505.000001F1C6610000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2870623611.000001F1C63B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2869238463.0000000E78A29000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2878015481.000001F1C713F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2878015481.000001F1C764C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2878015481.000001F1C74E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2868924456.0000000E78835000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2878015481.000001F1C73E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2987448632.000001F1DF478000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2878015481.000001F1C6C5B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2878015481.000001F1C74F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2878015481.000001F1C6E0C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2870623611.000001F1C63EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2878015481.000001F1C767A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2878015481.000001F1C7662000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2987448632.000001F1DF47E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2878015481.000001F1C7603000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2870535092.000001F1C63A0000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2878015481.000001F1C7664000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2860370932.0000000E76745000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.3008930987.000001F1DF8FD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2870623611.000001F1C643B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2868146675.0000000E78429000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2878015481.000001F1C723A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2866296752.0000000E777F4000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2878015481.000001F1C765E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2878015481.000001F1C70E7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2878015481.000001F1C7612000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.3008930987.000001F1DF898000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:28
                                                                                                  Start time:18:34:29
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\sc.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                  Imagebase:0x7ff734ef0000
                                                                                                  File size:72'192 bytes
                                                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:29
                                                                                                  Start time:18:34:29
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff66e660000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:30
                                                                                                  Start time:18:34:30
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "6a977784-500a-4b6f-98da-3b8105c955fb" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000LJyPNIA1
                                                                                                  Imagebase:0x1d11b320000
                                                                                                  File size:176'176 bytes
                                                                                                  MD5 hash:ACCE8B17DE63299AA4D5CB7D709BEEDC
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2565228250.000001D11BE16000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2565228250.000001D11BDBE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2565228250.000001D11BE55000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2565228250.000001D11BE2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2565228250.000001D11BE80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2562820603.000001D11B469000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2577506910.000001D134831000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2565228250.000001D11C217000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2565228250.000001D11BC61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2562681422.000001D11B420000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2562820603.000001D11B4A6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2565228250.000001D11BCF3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2565228250.000001D11BED6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2562820603.000001D11B507000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2573571076.000001D1345C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2564293856.000001D11B690000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2562820603.000001D11B43A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2565228250.000001D11BE52000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2562820603.000001D11B45A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2565228250.000001D11BE84000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2575279337.000001D1346B2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:31
                                                                                                  Start time:18:34:30
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff66e660000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:32
                                                                                                  Start time:18:34:32
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                  Imagebase:0x7ff7807d0000
                                                                                                  File size:289'792 bytes
                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2488230614.000001549DA13000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2488472971.000001549DAF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000003.2487708082.000001549DA17000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2488230614.000001549D9FC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2488230614.000001549D9F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000003.2413527148.000001549DB10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:33
                                                                                                  Start time:18:34:32
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff66e660000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:34
                                                                                                  Start time:18:34:32
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\cscript.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                  Imagebase:0x7ff675c60000
                                                                                                  File size:161'280 bytes
                                                                                                  MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2486036396.000002A4B9A80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:35
                                                                                                  Start time:18:34:33
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\sppsvc.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\sppsvc.exe
                                                                                                  Imagebase:0x7ff799c70000
                                                                                                  File size:4'630'384 bytes
                                                                                                  MD5 hash:320823F03672CEB82CC3A169989ABD12
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:37
                                                                                                  Start time:18:34:37
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "a383a7a9-5802-447a-aa75-24c8264d606b" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000LJyPNIA1
                                                                                                  Imagebase:0x20da27b0000
                                                                                                  File size:396'336 bytes
                                                                                                  MD5 hash:B50005A1A62AFA85240D1F65165856EB
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2528115170.0000020DBC9F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2509482920.0000020DA2FF2000.00000002.00000001.01000000.0000001C.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2509356323.0000020DA2B60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2528225899.0000020DBCC10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2546206898.00007FFD8B789000.00000004.00000001.01000000.0000001B.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2527928592.0000020DBC7E7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2508125557.0000020DA2926000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2508125557.0000020DA2941000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2523329995.0000020DBBA14000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2508125557.0000020DA298D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2509948593.0000020DA3733000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2508125557.0000020DA294F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2509948593.0000020DA327D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2507958039.0000020DA28A0000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2508125557.0000020DA2900000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2527964658.0000020DBC9E5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000000.2465929079.0000020DA27B2000.00000002.00000001.01000000.0000001A.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2508125557.0000020DA290C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2509948593.0000020DA3191000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2523329995.0000020DBB9A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:38
                                                                                                  Start time:18:34:37
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff66e660000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:39
                                                                                                  Start time:18:34:40
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k smphost
                                                                                                  Imagebase:0x7ff7403e0000
                                                                                                  File size:55'320 bytes
                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:40
                                                                                                  Start time:18:35:01
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "369c9bdf-f4d2-425d-a5d4-bce6b2c11f23" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000LJyPNIA1
                                                                                                  Imagebase:0x24b83510000
                                                                                                  File size:176'176 bytes
                                                                                                  MD5 hash:ACCE8B17DE63299AA4D5CB7D709BEEDC
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2874958943.0000024B835C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2875733789.0000024B83609000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2917001268.0000024B9C7CD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2875733789.0000024B835FD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2881181090.0000024B83EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2912328958.0000024B9C700000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2875733789.0000024B835DB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2881181090.0000024B844B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2881181090.0000024B83F63000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2925407151.0000024B9C942000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2880411399.0000024B83840000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2881181090.0000024B8446C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2881181090.0000024B83F27000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2881181090.0000024B844B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2881181090.0000024B83F53000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2875733789.0000024B83646000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2881181090.0000024B840B6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:41
                                                                                                  Start time:18:35:01
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff66e660000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:42
                                                                                                  Start time:18:35:02
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "5f6f6507-8a14-439a-936b-7c9abb12dc95" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000LJyPNIA1
                                                                                                  Imagebase:0x210e9490000
                                                                                                  File size:73'264 bytes
                                                                                                  MD5 hash:511A4FB73993DFA87C69BA28F15F37A8
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.3481780585.00000210E973F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.3493325722.00000210EA7C5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.3429292494.0000021080078000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.3416990983.000000BD3CEF1000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.3481780585.00000210E96FC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.3492315539.00000210E9960000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.3481780585.00000210E977D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.3429292494.0000021080235000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.3429292494.000002108054C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.3481780585.00000210E96F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.3493325722.00000210EA750000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.3429292494.0000021080130000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.3481780585.00000210E9731000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000000.2718158766.00000210E9492000.00000002.00000001.01000000.00000024.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.3493325722.00000210EA812000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.3429292494.0000021080001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:43
                                                                                                  Start time:18:35:02
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff66e660000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:44
                                                                                                  Start time:18:35:02
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "6f300cb5-dcd2-4a4e-a623-2be92e21fc41" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000LJyPNIA1
                                                                                                  Imagebase:0x1f8bf4a0000
                                                                                                  File size:52'272 bytes
                                                                                                  MD5 hash:6095B43FA565DA44E7A818CFB4BACBA2
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2975453753.000001F8BF57C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2984124474.000001F8BF8C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2988910791.000001F8C022B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2970305949.00000043724F2000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.3032544207.000001F8D86B3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.3031289027.000001F8D8680000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2975453753.000001F8BF570000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2975453753.000001F8BF5FC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2988910791.000001F8C023C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2975453753.000001F8BF5B4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.3032544207.000001F8D8709000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000000.2720639074.000001F8BF4A2000.00000002.00000001.01000000.00000026.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2975453753.000001F8BF5B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2984388521.000001F8BFA45000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2988910791.000001F8C0135000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2988910791.000001F8BFFC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:45
                                                                                                  Start time:18:35:03
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff66e660000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:46
                                                                                                  Start time:18:35:03
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                  Imagebase:0x7ff7807d0000
                                                                                                  File size:289'792 bytes
                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2807052058.00000189B6BD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2807052058.00000189B6BF3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000003.2727150145.00000189B6E40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2807866986.00000189B6E20000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2807052058.00000189B6BDB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:47
                                                                                                  Start time:18:35:03
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff66e660000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:48
                                                                                                  Start time:18:35:03
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\cscript.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                  Imagebase:0x7ff675c60000
                                                                                                  File size:161'280 bytes
                                                                                                  MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.2805107549.0000023442D40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:49
                                                                                                  Start time:18:35:04
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun
                                                                                                  Imagebase:0x1fa5a970000
                                                                                                  File size:52'272 bytes
                                                                                                  MD5 hash:6095B43FA565DA44E7A818CFB4BACBA2
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2755903772.000001FA5AB35000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2759376361.000001FA5AE60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2755903772.000001FA5AACF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2755903772.000001FA5AAB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2759549511.000001FA5B513000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2755903772.000001FA5AAEE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2755903772.000001FA5AAB8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2759549511.000001FA5B491000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:50
                                                                                                  Start time:18:35:06
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff66e660000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:51
                                                                                                  Start time:18:35:05
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "a5cfd08f-59bf-4f7d-aca9-3371418cc30f" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000LJyPNIA1
                                                                                                  Imagebase:0x1e995440000
                                                                                                  File size:33'328 bytes
                                                                                                  MD5 hash:B0E08EBA67B6AAB9E4CD11E3CC0D9988
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3425340630.000001E9955B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3425340630.000001E9955F1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3452803258.000001E995CFF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3452803258.000001E995CE2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3425340630.000001E99568D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3425340630.000001E995698000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3452803258.000001E995C81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3440014244.000001E9956E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3425340630.000001E9955F9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3425340630.000001E99563D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3451431497.000001E995C52000.00000002.00000001.01000000.0000003D.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3420501874.0000008223AF1000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000000.2747579281.000001E995442000.00000002.00000001.01000000.00000028.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3425340630.000001E9955BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:52
                                                                                                  Start time:18:35:05
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff66e660000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:53
                                                                                                  Start time:18:35:08
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                                                                                  Imagebase:0x7ff75be00000
                                                                                                  File size:69'632 bytes
                                                                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2957965783.0000024229A13000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000003.2956930726.000002422909B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2957694594.00000242290B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000003.2956979140.00000242290B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2957965783.0000024229A07000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000003.2914528311.0000024229250000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:54
                                                                                                  Start time:18:35:09
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 22082F62A3568C9AEFDA4CD2E366C73D E Global\MSI0000
                                                                                                  Imagebase:0x3c0000
                                                                                                  File size:59'904 bytes
                                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:55
                                                                                                  Start time:18:35:09
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:rundll32.exe "C:\Windows\Installer\MSI1667.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7214812 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                                                                                  Imagebase:0xec0000
                                                                                                  File size:61'440 bytes
                                                                                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000003.2790379772.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:56
                                                                                                  Start time:18:35:09
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "a742f8fb-c2f7-4e35-9df0-01c83d8be31e" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000LJyPNIA1
                                                                                                  Imagebase:0x1a3adac0000
                                                                                                  File size:51'248 bytes
                                                                                                  MD5 hash:26E9CCE4BD85A1FCACBF03A8C3F3DDCA
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2798377871.000001A3ADBB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2806182437.000001A3AE2B2000.00000002.00000001.01000000.00000031.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2798377871.000001A3ADB7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2798377871.000001A3ADB70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2805800185.000001A3ADDF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2806671115.000001A3AE4A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000000.2789734652.000001A3ADAC2000.00000002.00000001.01000000.0000002D.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2798377871.000001A3ADBFD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2798377871.000001A3ADB93000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:57
                                                                                                  Start time:18:35:09
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff66e660000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:58
                                                                                                  Start time:18:35:10
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" b6d7854f-41ac-4cbe-bd3f-d1c32ac48fc1 "752b1c43-f6f1-475b-a99d-893bafb3d192" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000LJyPNIA1
                                                                                                  Imagebase:0x22973020000
                                                                                                  File size:219'696 bytes
                                                                                                  MD5 hash:01807774F043028EC29982A62FA75941
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2837794159.0000022900171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2856420159.0000022973140000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2837794159.0000022900001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2855689243.00000229730F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000000.2797664631.0000022973022000.00000002.00000001.01000000.00000030.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2864037417.00000229742D7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2864037417.0000022974260000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2856420159.00000229731CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2837794159.0000022900238000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2837794159.0000022900236000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2837794159.0000022900020000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2856420159.0000022973181000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2837794159.0000022900022000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2837794159.000002290023A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2837794159.0000022900230000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2837794159.000002290023C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, Author: Joe Security
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:59
                                                                                                  Start time:18:35:10
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff66e660000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:147
                                                                                                  Start time:18:35:49
                                                                                                  Start date:15/08/2024
                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                  Wow64 process (32bit):
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:
                                                                                                  Has administrator privileges:
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  Disassembly

                                                                                                  Reset < >

                                                                                                    Executed Functions

                                                                                                    Function 05212764 Relevance: .4, Instructions: 392COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000003.2167555635.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_3_5210000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 52f90f0ae98e077bfa4323997a39130a58a6a37cb5367ac3ca2c95e617c93ad8
                                                                                                    • Instruction ID: adc76b361f22e8616b122d7fc8faa33ca60a74c4337a28906bb66c365618d898
                                                                                                    • Opcode Fuzzy Hash: 52f90f0ae98e077bfa4323997a39130a58a6a37cb5367ac3ca2c95e617c93ad8
                                                                                                    • Instruction Fuzzy Hash: A1E0D171D1A348DFC750DF79644155A7FF5BE55200B1052EED448D3242F6764642CF92
                                                                                                    Function 05211080 Relevance: .2, Instructions: 212COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000003.2167555635.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_3_5210000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 48ad3735b10cde56a37b7c619477dac5c9e4684f7a397d0c93e5cb6f8f1a9f78
                                                                                                    • Instruction ID: 9081b8d21e20d141d8e23466844816e277cbb5f47bd3987e9ebcfde62e6388dc
                                                                                                    • Opcode Fuzzy Hash: 48ad3735b10cde56a37b7c619477dac5c9e4684f7a397d0c93e5cb6f8f1a9f78
                                                                                                    • Instruction Fuzzy Hash: 2E71D635B10219CBDB089B75C854A6FBBE7BFC8310F158029EA06AB390DE758D52CB94
                                                                                                    Function 05211630 Relevance: .2, Instructions: 156COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000003.2167555635.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_3_5210000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ad2fed6b9f9d43ac403554f02e2b99bc5ee4c4cb7d7de67226c3cd8e4d78b75a
                                                                                                    • Instruction ID: 450057598ad5bcfcda06a37f55c6d3bdbc517fd10ed3fbe46a8a5ad146da1667
                                                                                                    • Opcode Fuzzy Hash: ad2fed6b9f9d43ac403554f02e2b99bc5ee4c4cb7d7de67226c3cd8e4d78b75a
                                                                                                    • Instruction Fuzzy Hash: B651E131B112098FDB15DF78D8506AFBBF6BFD9250B24816ADA04DB360DB318D52CB94
                                                                                                    Function 052123B8 Relevance: .2, Instructions: 151COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000003.2167555635.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_3_5210000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 85e6e91d533fe80e6031f0da4a6234b777519223a62365e4e9e915c4dcb6fd12
                                                                                                    • Instruction ID: b59bc1c3be76ee26a986fdc1e83ae922746f9d3c225d790831a2545c7ae3009d
                                                                                                    • Opcode Fuzzy Hash: 85e6e91d533fe80e6031f0da4a6234b777519223a62365e4e9e915c4dcb6fd12
                                                                                                    • Instruction Fuzzy Hash: 9451AF39B10216CFDB14CF69D994A6AB7F2FF48314F1581AAE918DB262D731DC41CB84
                                                                                                    Function 05210E8C Relevance: .1, Instructions: 148COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000003.2167555635.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_3_5210000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: cc1ab00eb797172d9608ebb605b5f1a5e13da7fc747407a3246bfbada7d862fd
                                                                                                    • Instruction ID: 671a1a2de84e857edf19055455581b23e143a7658f0ea40a9e0b6ab3d73fcbde
                                                                                                    • Opcode Fuzzy Hash: cc1ab00eb797172d9608ebb605b5f1a5e13da7fc747407a3246bfbada7d862fd
                                                                                                    • Instruction Fuzzy Hash: 64415A34B202059BDB18A679946977F7BEB9FE5210F10802DEE06E73C0CE758C02C7A9
                                                                                                    Function 05212644 Relevance: .1, Instructions: 124COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000003.2167555635.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_3_5210000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 22a322129ee2000768161ffde1edb6a4ccc5f4cd1a2ed56c00e018c6965a5e9e
                                                                                                    • Instruction ID: f0f70a498f50adb10599df8ef8ea8d965155bd0d2282f717ed359f278dc91984
                                                                                                    • Opcode Fuzzy Hash: 22a322129ee2000768161ffde1edb6a4ccc5f4cd1a2ed56c00e018c6965a5e9e
                                                                                                    • Instruction Fuzzy Hash: 2B3188347293548BEB296B76556837F2BDBAFD5210F04846AFD05D73C2DEA88C0143A9
                                                                                                    Function 05212268 Relevance: .1, Instructions: 106COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000003.2167555635.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_3_5210000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: de3af291819d8da41b2d4c9f80e53fa990ca6cb1dadc41c4d7df6f5d7186e001
                                                                                                    • Instruction ID: 7fec9ac72a47597e0d8c83b30060cea9b994e896ad255b849678eb513edc0f80
                                                                                                    • Opcode Fuzzy Hash: de3af291819d8da41b2d4c9f80e53fa990ca6cb1dadc41c4d7df6f5d7186e001
                                                                                                    • Instruction Fuzzy Hash: 4A41043AB10109DFCB54DF69D88499EBBF6FF98310B10816AE905EB360DB319D41CB94
                                                                                                    Function 05210C1C Relevance: .1, Instructions: 99COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000003.2167555635.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_3_5210000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4f9c2a5cb7983ffb4654d327b6c09aa4c2b0a0bcf381eec2ab12506374e45584
                                                                                                    • Instruction ID: 7431a9d8dc5b2fa10532533f769b5685fbf3e3632b752efeabe460c8498306d0
                                                                                                    • Opcode Fuzzy Hash: 4f9c2a5cb7983ffb4654d327b6c09aa4c2b0a0bcf381eec2ab12506374e45584
                                                                                                    • Instruction Fuzzy Hash: F531E930B243455BE7199775446936F3BF79FD6200F15846ADA06E72C2CEB44C05C799
                                                                                                    Function 05211050 Relevance: .1, Instructions: 84COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000003.2167555635.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_3_5210000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e866a813dcf5d6f76974a59fde50aac64db9863dd72eef2ad4cc6f17bc792b8e
                                                                                                    • Instruction ID: 650c315de0ece93aeeb6938fb6125b1b13bef7f8300bcb5a15ec63564b56bdb5
                                                                                                    • Opcode Fuzzy Hash: e866a813dcf5d6f76974a59fde50aac64db9863dd72eef2ad4cc6f17bc792b8e
                                                                                                    • Instruction Fuzzy Hash: F6213632B2425487DB00DA7498606BF7FEBAF84250F08406ADE06DB281EEB18D05CB94
                                                                                                    Function 05212664 Relevance: .1, Instructions: 82COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000003.2167555635.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_3_5210000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a383c08d5bc9f2bf31ba26658af09a592550b05460f739f124d2642487a3f587
                                                                                                    • Instruction ID: 8a228d220f64201e4bc85998cf31c1570182824e775b1f5fa277762e7514f0a3
                                                                                                    • Opcode Fuzzy Hash: a383c08d5bc9f2bf31ba26658af09a592550b05460f739f124d2642487a3f587
                                                                                                    • Instruction Fuzzy Hash: B6116A367B536ADBD70522B534197FB3FCADF52260F018066FF0C46181CA684885C3D8
                                                                                                    Function 05212258 Relevance: .1, Instructions: 60COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000003.2167555635.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_3_5210000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4f1faed5b7106e005fb201e03e61450119c8031a9735d757748565842379b6c7
                                                                                                    • Instruction ID: 2b29da13f1578fe9055bbe8d93c0a8c424784a7680775bc65d3d0e21e12f7aa8
                                                                                                    • Opcode Fuzzy Hash: 4f1faed5b7106e005fb201e03e61450119c8031a9735d757748565842379b6c7
                                                                                                    • Instruction Fuzzy Hash: FA213875A212189FCB44DF69D88499EBBF2FF5C310B10812AE905AB360DB719D41CF94
                                                                                                    Function 05211378 Relevance: .1, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000003.2167555635.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_3_5210000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0d98723f84dbb35b1b75e7b7065ada28b82fc82a4ef77066e40ec317c6f5251b
                                                                                                    • Instruction ID: ff81ad846f796ce4454200757dea16c5b7edb85954bc5e644edb67350390a40f
                                                                                                    • Opcode Fuzzy Hash: 0d98723f84dbb35b1b75e7b7065ada28b82fc82a4ef77066e40ec317c6f5251b
                                                                                                    • Instruction Fuzzy Hash: 05211370C04209DFDB10DFAAC885ADEFBF4FF88210F54852AD919A7240C7756905CFA5
                                                                                                    Function 05211380 Relevance: .1, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000003.2167555635.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_3_5210000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 300d5a9a54d424d900665d0b21e84e0b24b2c1a9ffceab849992b460cc10aefb
                                                                                                    • Instruction ID: 1a6750e0e14cb41aba68926d08cbfbd9fba6c91ae67c0b3034686bc76dfdc1f4
                                                                                                    • Opcode Fuzzy Hash: 300d5a9a54d424d900665d0b21e84e0b24b2c1a9ffceab849992b460cc10aefb
                                                                                                    • Instruction Fuzzy Hash: C511F2B0D04209DFDB14DFAAC881AEEFBF4FF88610F50842AD91967240C7756905CFA5
                                                                                                    Function 05211968 Relevance: .1, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000003.2167555635.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_3_5210000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0ef1d77b0c11a875d23dd6881929ee58672f4b40dcb9a1c9dcb0e5844e7ba8bd
                                                                                                    • Instruction ID: dd4b89244bb12a1b3e338de2883ffacc6ad266416d23272da6038ed12485f43b
                                                                                                    • Opcode Fuzzy Hash: 0ef1d77b0c11a875d23dd6881929ee58672f4b40dcb9a1c9dcb0e5844e7ba8bd
                                                                                                    • Instruction Fuzzy Hash: 12110A316102059FD748DB54D459AAA7FB7AF8C310F159019E509A7284DFB19885CFA0
                                                                                                    Function 036DD005 Relevance: .0, Instructions: 47COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000002.2173833424.00000000036DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 036DD000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_2_36dd000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 58c32b2a1790a773c130d1ec730dd6634e71a89d74c90ca98a2b767f0d2dd1f3
                                                                                                    • Instruction ID: 75d9f76025836b5faf2912b78eb44efb8190f8faf26dd5b5744d7979ceaa6788
                                                                                                    • Opcode Fuzzy Hash: 58c32b2a1790a773c130d1ec730dd6634e71a89d74c90ca98a2b767f0d2dd1f3
                                                                                                    • Instruction Fuzzy Hash: A701806140D3C4AFD7129F259D94B52BFA8DF83224F0D85DBE8888F293C2685C49C772
                                                                                                    Function 036DD01D Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000002.2173833424.00000000036DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 036DD000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_2_36dd000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fe0a9f9c2c908cd330c87720715e0bdb7e1d8bbad7dfeb5cc3e9d9a9618fdd16
                                                                                                    • Instruction ID: 9648c19397187de5c51688b65640b07e60c6a9009a62ab1924732a39f010c1c4
                                                                                                    • Opcode Fuzzy Hash: fe0a9f9c2c908cd330c87720715e0bdb7e1d8bbad7dfeb5cc3e9d9a9618fdd16
                                                                                                    • Instruction Fuzzy Hash: 9401A771805344EAE720EF25EE84F66FF98DFC5324F1C855AED484A242C3799846C6F1
                                                                                                    Function 0521182B Relevance: .0, Instructions: 44COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000003.2167555635.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_3_5210000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 53dfc2a2aeedebec1121b4086b85ca6859a7c6280482666757a4273e361519e7
                                                                                                    • Instruction ID: 6fed831bb0d4e615babe0eb5189efc9acf490dc80051a7a927b2672776385d90
                                                                                                    • Opcode Fuzzy Hash: 53dfc2a2aeedebec1121b4086b85ca6859a7c6280482666757a4273e361519e7
                                                                                                    • Instruction Fuzzy Hash: C5018631B2020997EB14AA6985597AF7AF79FD8700F154029D906B7381CEB55C10C7D9
                                                                                                    Function 05211440 Relevance: .0, Instructions: 39COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000003.2167555635.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_3_5210000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f815c07e88308f58089a565d06f33010c1d18c8283069b41af628e583d395624
                                                                                                    • Instruction ID: 00b0cf918994cb3e3b39c5792d1faeafbaa7fc9d14b0c66776061b6044c73ea8
                                                                                                    • Opcode Fuzzy Hash: f815c07e88308f58089a565d06f33010c1d18c8283069b41af628e583d395624
                                                                                                    • Instruction Fuzzy Hash: 6D01AE30A282454FD7095B74947671B3FE6EEC2500B0909A9D606CF1D1EE659414D7D1
                                                                                                    Function 05212A98 Relevance: .0, Instructions: 38COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000003.2167555635.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_3_5210000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b6b62f8ca5ef10beb707bc846fc13ac5ebb0e9ae96a9385cee15e465c8a3fa3a
                                                                                                    • Instruction ID: f54aeefebc771fd61903128cda35a58b40d94a4d10b4e2d716a330d69950d928
                                                                                                    • Opcode Fuzzy Hash: b6b62f8ca5ef10beb707bc846fc13ac5ebb0e9ae96a9385cee15e465c8a3fa3a
                                                                                                    • Instruction Fuzzy Hash: 8DF0243A32921583D724A6177484B3B6BDFBFE4610F088029FD0882281CE648D4197A8
                                                                                                    Function 052125D1 Relevance: .0, Instructions: 32COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000003.2167555635.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_3_5210000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: db4eafb3a84a50aae0d7b0da28d17ceba7d6970c2185bc6ea42a2b2242f21f88
                                                                                                    • Instruction ID: 4463494f0582f9edbda4653da6a13f7837323880e1c82447d22e4424cf30ee9b
                                                                                                    • Opcode Fuzzy Hash: db4eafb3a84a50aae0d7b0da28d17ceba7d6970c2185bc6ea42a2b2242f21f88
                                                                                                    • Instruction Fuzzy Hash: E5F0B432B251958BCB198678F4581FE7BB2ABC9311F24816ED456A7680DF75490DCB80
                                                                                                    Function 05211431 Relevance: .0, Instructions: 32COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000003.2167555635.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_3_5210000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 58dae63a589bd083685b7027a72ab73e66712c80d022a75a0c6b4827b0f1f9d6
                                                                                                    • Instruction ID: 84688a8cffee9f397335fa69e5ea83d0ab2440172a566e43cfcbbb3f2c4a2c15
                                                                                                    • Opcode Fuzzy Hash: 58dae63a589bd083685b7027a72ab73e66712c80d022a75a0c6b4827b0f1f9d6
                                                                                                    • Instruction Fuzzy Hash: 32F09C746241064AEB085B75A43671F3FDBAFD1640B09196DD60ACF1C0EEB19440DBC0
                                                                                                    Function 052125E0 Relevance: .0, Instructions: 29COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000003.2167555635.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_3_5210000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bc89a54c83d10fcb87e8ac12cd1605dee89b7052d46073c5c2da61580be67a91
                                                                                                    • Instruction ID: d857b4289f34477b22392be95219688f3b9104b5ef89ee4c79b8aad64a63ea88
                                                                                                    • Opcode Fuzzy Hash: bc89a54c83d10fcb87e8ac12cd1605dee89b7052d46073c5c2da61580be67a91
                                                                                                    • Instruction Fuzzy Hash: FFE0E532B201548BCB189669E4245FEB7BBABC8210F10803AD912A3380EF705D09CB91
                                                                                                    Function 05212654 Relevance: .0, Instructions: 29COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000003.2167555635.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_3_5210000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 324a7a49f7a379ffde1429c14638fc8c1c050ce9ec448a531a29d70ecf03bd8e
                                                                                                    • Instruction ID: bd09f14b7048fbb046faa7ef4be616eed608ef66c67518267e57b323108d07d9
                                                                                                    • Opcode Fuzzy Hash: 324a7a49f7a379ffde1429c14638fc8c1c050ce9ec448a531a29d70ecf03bd8e
                                                                                                    • Instruction Fuzzy Hash: DEE0922473535A82EF382A6B5614B7726CF9F60704F001839FC0597681D9C4E94003E9
                                                                                                    Function 05212590 Relevance: .0, Instructions: 17COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000003.2167555635.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_3_5210000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dd1437326134df4f112a62ca3a1c4d546358a670ef8f4f2145330e33e8e37870
                                                                                                    • Instruction ID: ad49b8c29fe76d23f89b96c5f3c5babe00cbddabaaf1d15f729ef181a423cea9
                                                                                                    • Opcode Fuzzy Hash: dd1437326134df4f112a62ca3a1c4d546358a670ef8f4f2145330e33e8e37870
                                                                                                    • Instruction Fuzzy Hash: 57D05B7252635046D701E374B81578D3F61DF91300F05A95ED2014B192DFE4598983D1
                                                                                                    Function 05210C0C Relevance: .0, Instructions: 17COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000003.2167555635.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_3_5210000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6ed0966a8b3453559bdee91efc4104d90d1a819d63ef1dec3862d70953c9d485
                                                                                                    • Instruction ID: 451c26e65cbe85d67e34ee60b93dee25143d61004fbdd8a29b5197f4d3fbdeb0
                                                                                                    • Opcode Fuzzy Hash: 6ed0966a8b3453559bdee91efc4104d90d1a819d63ef1dec3862d70953c9d485
                                                                                                    • Instruction Fuzzy Hash: 74D0A73233001C9B47116618D89A97B77EAEBA4361750842BFE0183214CDB05C518BD9
                                                                                                    Function 05212A58 Relevance: .0, Instructions: 17COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000003.2167555635.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_3_5210000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f4b7fa695c17164655928d26be86151559bcc6fcc530488f33e1c542deb288c0
                                                                                                    • Instruction ID: a96bbf1279f7c5d06fd990ab3db8739d1101984c46a5ad1997307edf383d7b34
                                                                                                    • Opcode Fuzzy Hash: f4b7fa695c17164655928d26be86151559bcc6fcc530488f33e1c542deb288c0
                                                                                                    • Instruction Fuzzy Hash: 77E01274D10209DF8750EFB9990155BBBF5FF58204B5085ADD90CD7200F7329602CBD1
                                                                                                    Function 052117F0 Relevance: .0, Instructions: 16COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000003.2167555635.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_3_5210000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 03e30cf9157c1c5c2b93de16a3fff23b6e74819baace8a1a387dd54572f23588
                                                                                                    • Instruction ID: 168ad3c338d94a7b3045db3bac7f9ce46a2ee66ed844584abae7c75002ef3f14
                                                                                                    • Opcode Fuzzy Hash: 03e30cf9157c1c5c2b93de16a3fff23b6e74819baace8a1a387dd54572f23588
                                                                                                    • Instruction Fuzzy Hash: C1D0A7372190A48FD3169B60E41A6E63FB6A768231F08806FE98143667CF350D51C7D4
                                                                                                    Function 05212560 Relevance: .0, Instructions: 15COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000003.2167555635.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_3_5210000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2a49a3b1d124049084941ef80d54c3067fd00a1f99f9feea51acea287692ede2
                                                                                                    • Instruction ID: 97f0028cdc58897527edd02247a9fb71f2568049dee9e2289a2b5f43798bfb27
                                                                                                    • Opcode Fuzzy Hash: 2a49a3b1d124049084941ef80d54c3067fd00a1f99f9feea51acea287692ede2
                                                                                                    • Instruction Fuzzy Hash: 7AD05E7090120ADFDB10DFB4ED0195EBBFEEB44300B2086A9C504D7210EA315E008BC0
                                                                                                    Function 05210440 Relevance: .0, Instructions: 8COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000003.2167555635.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_3_5210000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: eaf62106b71c1316fa51a2c9f5936d35dc8f5a4c3d547edde4523f94d08dcac5
                                                                                                    • Instruction ID: 64298f8dad0627814a4dbf87bfb612c10d13e6cbaca844e59a00e757a6967887
                                                                                                    • Opcode Fuzzy Hash: eaf62106b71c1316fa51a2c9f5936d35dc8f5a4c3d547edde4523f94d08dcac5
                                                                                                    • Instruction Fuzzy Hash: 88C09B72478140DFD701C790D54F7567F32BF71305F565665F04041191C7B54591DF55

                                                                                                    Executed Functions

                                                                                                    Function 06E77678 Relevance: 2.0, Strings: 1, Instructions: 724COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208090128.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_6e70000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: |k t
                                                                                                    • API String ID: 0-2260956542
                                                                                                    • Opcode ID: d389c65165b548c79aa50915f7f0eccf34abc385b81105a9cb3c5f4e4beda9a0
                                                                                                    • Instruction ID: 58665a4394ebf82b923c1e7729e8a323e0c88c317f285262ac007fe1c227998d
                                                                                                    • Opcode Fuzzy Hash: d389c65165b548c79aa50915f7f0eccf34abc385b81105a9cb3c5f4e4beda9a0
                                                                                                    • Instruction Fuzzy Hash: C0521A34700605CFDB54DF79C998A6ABBE2BF88704B19886DD546CB365EE74EC02CB90
                                                                                                    Function 06E70040 Relevance: .5, Instructions: 471COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208090128.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_6e70000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 475a987b452c915349a33da43a145ced2124a52afc693914c6d45496675a6b9a
                                                                                                    • Instruction ID: 8dd2396403ff80bb0d4088d5f7b231c0eef886de2d1dbf4e70823e6b2ee18380
                                                                                                    • Opcode Fuzzy Hash: 475a987b452c915349a33da43a145ced2124a52afc693914c6d45496675a6b9a
                                                                                                    • Instruction Fuzzy Hash: 17227D30E1071ACFDB14DF74C84469DB7B2FF99304F1192A9E846AB351EB74A989CB90
                                                                                                    Function 04A3B688 Relevance: 2.7, Strings: 2, Instructions: 218COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: l;'t$?'t
                                                                                                    • API String ID: 0-1814406251
                                                                                                    • Opcode ID: d0c3a59dd41d2c71bebaab3aca9c5a998e76276a0da6168fe69b936b7e4f9257
                                                                                                    • Instruction ID: 48b853b46ef2583ebd717e571bddf998935289fb9a0a57e8b32a2748e2c00a06
                                                                                                    • Opcode Fuzzy Hash: d0c3a59dd41d2c71bebaab3aca9c5a998e76276a0da6168fe69b936b7e4f9257
                                                                                                    • Instruction Fuzzy Hash: 1561E574B0411A8BD7189B6A885067FB7E7EFC4745B14802AEA06D7395FE34FC0297A1
                                                                                                    Function 04A385C0 Relevance: 1.7, Strings: 1, Instructions: 432COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: d
                                                                                                    • API String ID: 0-2564639436
                                                                                                    • Opcode ID: 0c1465e92ec6d839d1c4d9417e566a092e8a04156b66dbd1d415d8bef4c2b691
                                                                                                    • Instruction ID: 700af0ea553dd4c85d0c6bf4af2fd8ca70c887c01598c5cce05a25925ab6bc9f
                                                                                                    • Opcode Fuzzy Hash: 0c1465e92ec6d839d1c4d9417e566a092e8a04156b66dbd1d415d8bef4c2b691
                                                                                                    • Instruction Fuzzy Hash: 4EF18B74A006058FD714DF19C484A6ABBF2FF88355B15CA6DE45A9B361E734FC42CB90
                                                                                                    Function 04A36C20 Relevance: 1.6, Strings: 1, Instructions: 376COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: |7't
                                                                                                    • API String ID: 0-2888053869
                                                                                                    • Opcode ID: e839ea56f918b39ed4f3633be1f49e5fd9e0c28cde3d3e9b877689048bec598e
                                                                                                    • Instruction ID: b9a65b345939965676f173c1362d517418834b5ef47cfcdc7d16158eb2923fac
                                                                                                    • Opcode Fuzzy Hash: e839ea56f918b39ed4f3633be1f49e5fd9e0c28cde3d3e9b877689048bec598e
                                                                                                    • Instruction Fuzzy Hash: 81D1CC70B00205DFE7289FA9D55066ABBF2BFC9711B248469E5469B395EB30EC02CB91
                                                                                                    Function 06E79FE0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 06E79FF8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208090128.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_6e70000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DispatcherExceptionUser
                                                                                                    • String ID:
                                                                                                    • API String ID: 6842923-0
                                                                                                    • Opcode ID: 3f30be159f239f47c300b35bd9a8c3fb1a98628ee610cd694b18573d1e989ded
                                                                                                    • Instruction ID: b2b49d2b01f778034476190f1aa72ff7d81acd3fd68e9e240f50ebc87fba924e
                                                                                                    • Opcode Fuzzy Hash: 3f30be159f239f47c300b35bd9a8c3fb1a98628ee610cd694b18573d1e989ded
                                                                                                    • Instruction Fuzzy Hash: 63113A35E013048FDB609A3CD4407ECBBA1EB88368F248935D51153290FA36A809CB90
                                                                                                    Function 06E79FD0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 06E79FF8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208090128.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_6e70000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DispatcherExceptionUser
                                                                                                    • String ID:
                                                                                                    • API String ID: 6842923-0
                                                                                                    • Opcode ID: e7ef24f0a10db0aaf32798ecb42f199091e38712659fc7553b2181c42daf77ee
                                                                                                    • Instruction ID: 7ba0614044a64c0a27c978bb7447b76e6fd72d50bc2ed0477d43d07ea58e32c3
                                                                                                    • Opcode Fuzzy Hash: e7ef24f0a10db0aaf32798ecb42f199091e38712659fc7553b2181c42daf77ee
                                                                                                    • Instruction Fuzzy Hash: C9112936D113418FEB60DE3CC5847ED77A1EF48368F249964D81163290FB36994ACB50
                                                                                                    Function 04A3BE40 Relevance: 1.5, Strings: 1, Instructions: 273COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: QYn^
                                                                                                    • API String ID: 0-1847529065
                                                                                                    • Opcode ID: db9f5fb06444171a609db52af2d045a4efb49bb7c7547917d42c2d74ac05a803
                                                                                                    • Instruction ID: 37dab2487ede2fe4d5469a101b939adc4b72993e9e3a2b84e16cae21ef72b723
                                                                                                    • Opcode Fuzzy Hash: db9f5fb06444171a609db52af2d045a4efb49bb7c7547917d42c2d74ac05a803
                                                                                                    • Instruction Fuzzy Hash: FAB16B34B00601DFDB15DF34D894A6EBBF2FF88205B048669E9469B361EB34EC06CB91
                                                                                                    Function 04A3BE33 Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: QYn^
                                                                                                    • API String ID: 0-1847529065
                                                                                                    • Opcode ID: 64c643ca364e5dc2ea6514a21e14ecf8e560bb6501178af13de6fad80ea0255c
                                                                                                    • Instruction ID: 3fb902fd7316dd6fcc5c276d9e371152d1a93c7c6a857b0d3e346f76878a7e99
                                                                                                    • Opcode Fuzzy Hash: 64c643ca364e5dc2ea6514a21e14ecf8e560bb6501178af13de6fad80ea0255c
                                                                                                    • Instruction Fuzzy Hash: A7714C74B00601DFDB15DF34D89456EBBF2FF88204B048669E9469B356EB34EC06CB91
                                                                                                    Function 04A3E7D8 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: L<'t
                                                                                                    • API String ID: 0-1348084525
                                                                                                    • Opcode ID: 20480e118db698af6746e88052f09e0619c17e373a0a992de30a11d3f0231caa
                                                                                                    • Instruction ID: 188071c9655d564d2d15cb1fc32b9aec7741103f88196ec32bf22c0cf3c3e98d
                                                                                                    • Opcode Fuzzy Hash: 20480e118db698af6746e88052f09e0619c17e373a0a992de30a11d3f0231caa
                                                                                                    • Instruction Fuzzy Hash: B6617E30B002099BDB58EF69D55966FB7F6EF88705B24842DE446E7390EF75EC028B90
                                                                                                    Function 04A36BF1 Relevance: 1.4, Strings: 1, Instructions: 164COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: |7't
                                                                                                    • API String ID: 0-2888053869
                                                                                                    • Opcode ID: cbb01859840a9123f12a3ee7fddd3ea8ab96709030325f81bcd65af94157bdc3
                                                                                                    • Instruction ID: 11b64281ac1661586b9d28f7db449c0166879ce930a6ad66862aa24b38622016
                                                                                                    • Opcode Fuzzy Hash: cbb01859840a9123f12a3ee7fddd3ea8ab96709030325f81bcd65af94157bdc3
                                                                                                    • Instruction Fuzzy Hash: FD51BF30B002069FDB11DF68C855AAEBBF2FF85350B158569E5459B3A2EB30FD05CB91
                                                                                                    Function 04A3EA88 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: T;'t
                                                                                                    • API String ID: 0-3233303256
                                                                                                    • Opcode ID: eac3d3367269b854e01f639877b68bf047c29d90147454be36a7347f36d13d14
                                                                                                    • Instruction ID: b9a87b4473a83712df21d20cad637b7aaa9995c0ec9d1a262e08f3874315b903
                                                                                                    • Opcode Fuzzy Hash: eac3d3367269b854e01f639877b68bf047c29d90147454be36a7347f36d13d14
                                                                                                    • Instruction Fuzzy Hash: A731F231B002058FEB099F6DD45696FBBE2EFC9251714457DE90ACB350EE30EC028B95
                                                                                                    Function 04A3E7C7 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: L<'t
                                                                                                    • API String ID: 0-1348084525
                                                                                                    • Opcode ID: 20da3e39a571fd0762b558931f583932546a661247405c38fdd641ab11a13be0
                                                                                                    • Instruction ID: cad25a68d93f392fe479f2261a0f1b022e66f15833b1fa8980025138b40dacb8
                                                                                                    • Opcode Fuzzy Hash: 20da3e39a571fd0762b558931f583932546a661247405c38fdd641ab11a13be0
                                                                                                    • Instruction Fuzzy Hash: D341A031B002058BDB14EF69D4586AFB7F6EFC8601B248428E416E7394EF75AD068B90
                                                                                                    Function 04A3EA75 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: T;'t
                                                                                                    • API String ID: 0-3233303256
                                                                                                    • Opcode ID: 7e98058c66b8b34a60772afc49a96397ff355e28f5aa10f516f3691f32fcbecf
                                                                                                    • Instruction ID: d78953f057a00e22120d84f6bad949d628f6bc7589647899b0dbbee6b5ca0e17
                                                                                                    • Opcode Fuzzy Hash: 7e98058c66b8b34a60772afc49a96397ff355e28f5aa10f516f3691f32fcbecf
                                                                                                    • Instruction Fuzzy Hash: E1F052353093101FC706262DA4A059BBBFBEBCA52032900AAE049CB363CD25CC0783A2
                                                                                                    Function 04A374C0 Relevance: .9, Instructions: 867COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f3712e933ddc2b06ac7ae80f48079f4fa59583dec3b6176281d02dd17916f977
                                                                                                    • Instruction ID: 49aae7124534adf3082a18e9f103de1f61be7bfa765a4d2e68b8c7193c2d962d
                                                                                                    • Opcode Fuzzy Hash: f3712e933ddc2b06ac7ae80f48079f4fa59583dec3b6176281d02dd17916f977
                                                                                                    • Instruction Fuzzy Hash: 4A92C234900218DFDB259FA0C854BEEBBB2FF89300F1445E9D60A6B260DB359E95DF91
                                                                                                    Function 04A399B8 Relevance: .3, Instructions: 338COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 207a582c92656424ea12188aaabe4a2cbcb3b18ac059540ef14bc18fe87d708d
                                                                                                    • Instruction ID: 7e865792190e772de9b6a039c13d736ab2cffddbb51958bba56e84c9004c1912
                                                                                                    • Opcode Fuzzy Hash: 207a582c92656424ea12188aaabe4a2cbcb3b18ac059540ef14bc18fe87d708d
                                                                                                    • Instruction Fuzzy Hash: 8FE18170A003598FDB05CFA8C484A9DBBF6FF89301F148195E849AB365EB70ED46CB50
                                                                                                    Function 04A3E1F0 Relevance: .3, Instructions: 326COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e80ec4d20f0564b36b6e193687517ae5f913c350b56113f317b7b51479fed0e5
                                                                                                    • Instruction ID: 3deff560fb135dc06ef323d8ef0f565a18fbfcc3b725c6c4719181b9eceb67d1
                                                                                                    • Opcode Fuzzy Hash: e80ec4d20f0564b36b6e193687517ae5f913c350b56113f317b7b51479fed0e5
                                                                                                    • Instruction Fuzzy Hash: F2C14C70B10215DFDB14DFA9D994AAEBBB2AF88305F144429E406EB394EF74ED06CB50
                                                                                                    Function 04A399A8 Relevance: .3, Instructions: 299COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ee36cfe09ba7bc2ff5509284aa4cc6624915edaa38ccd652883d49de410a68a1
                                                                                                    • Instruction ID: fea60a7f4cd992cf888297ffa70448c2a79b4cfcd909d71324bc7f685cc3b66a
                                                                                                    • Opcode Fuzzy Hash: ee36cfe09ba7bc2ff5509284aa4cc6624915edaa38ccd652883d49de410a68a1
                                                                                                    • Instruction Fuzzy Hash: 25D12D74A003598FDB05CFA8C884A9DBBF6FF89301F158195E848AB365E774ED46CB50
                                                                                                    Function 04A3B9F8 Relevance: .3, Instructions: 269COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f072b6a9588b66fad59f5ce99ec51c246f0035c9ebc14b62ae6612f80e7369ee
                                                                                                    • Instruction ID: 89008673ed478252200fca3132af014bce38a954355bfffdb47aef8d9a392b83
                                                                                                    • Opcode Fuzzy Hash: f072b6a9588b66fad59f5ce99ec51c246f0035c9ebc14b62ae6612f80e7369ee
                                                                                                    • Instruction Fuzzy Hash: 9F81C231B001188FDB14DFB9D45469E7BE6EF88751B1440BAEA0ADB3A1EF35ED0187A1
                                                                                                    Function 04A31080 Relevance: .2, Instructions: 212COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5b48d837359087c6ce77197c58548fec969aa6bc49e3478a818ae22e6fb06bc8
                                                                                                    • Instruction ID: e34da0b68ba782e9692cf10f7e18cb2451d416367e9fc9349760d73612bbe1d5
                                                                                                    • Opcode Fuzzy Hash: 5b48d837359087c6ce77197c58548fec969aa6bc49e3478a818ae22e6fb06bc8
                                                                                                    • Instruction Fuzzy Hash: E8719431B00214DFEB089FB5C8546AEBBE7AFC8311F158139E5069B395EE75EC028751
                                                                                                    Function 04A357B8 Relevance: .2, Instructions: 210COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: cf50aca32f3310312ea5169678b4760962c85b409e53948936576c3fbc153d9b
                                                                                                    • Instruction ID: 45bca8a69d88c083f5fe1c00992c0aefd719927076cf06572dc850ef6e1d7b89
                                                                                                    • Opcode Fuzzy Hash: cf50aca32f3310312ea5169678b4760962c85b409e53948936576c3fbc153d9b
                                                                                                    • Instruction Fuzzy Hash: 9651D7B190E7819FE306CB39D8946457FF1DF86214B1A80EFC6848F5A7EE249887C752
                                                                                                    Function 04A36048 Relevance: .2, Instructions: 189COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1b03ce83a9ba4f3814e0ca73a97247dcdc3ad23641b20e8266245b2afeed136c
                                                                                                    • Instruction ID: 5eff79ff162d34df18592a95e138ac53897262e3eedb818f6ac0fd3f8134fb52
                                                                                                    • Opcode Fuzzy Hash: 1b03ce83a9ba4f3814e0ca73a97247dcdc3ad23641b20e8266245b2afeed136c
                                                                                                    • Instruction Fuzzy Hash: B0710931A003089FEB05EFE4C460BDEBBB6EF89304F14446DD6466B3A1DE39AD458B91
                                                                                                    Function 04A368E0 Relevance: .2, Instructions: 189COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a61c00dabcc06c7efac36cc34dc7358de1edbd48b010111b6b1e64211f310752
                                                                                                    • Instruction ID: faa8d91f2948154c942e51f05d4ff375cf2a45b0954abed44027e2a1b1c12865
                                                                                                    • Opcode Fuzzy Hash: a61c00dabcc06c7efac36cc34dc7358de1edbd48b010111b6b1e64211f310752
                                                                                                    • Instruction Fuzzy Hash: E2615076B002059FDB15CF68C8809AABBF6FF8D310B1581A9E909DB321DB31ED15DB90
                                                                                                    Function 04A3B418 Relevance: .2, Instructions: 188COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 998b2202c520c3958d127a137cf63153d3b48174295f8ae576afad1cc650afce
                                                                                                    • Instruction ID: b50a5cddad617b0fb720c6843b8495ffb5e5d65b551562f9b152d85a63b82db3
                                                                                                    • Opcode Fuzzy Hash: 998b2202c520c3958d127a137cf63153d3b48174295f8ae576afad1cc650afce
                                                                                                    • Instruction Fuzzy Hash: C551047650A3D19FE706DB38A9A52D57F31EF43304B0941D7D6808F2A3EA24A90BC7A5
                                                                                                    Function 04A3ABA0 Relevance: .2, Instructions: 186COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bf007c1a14687ab51a28fe47e40db06e1e851b47ad21cdc2209481dbee109b01
                                                                                                    • Instruction ID: d7f4447e4c7f875c668c0ebfc277f22b813818be6826891ca44613fb474eef19
                                                                                                    • Opcode Fuzzy Hash: bf007c1a14687ab51a28fe47e40db06e1e851b47ad21cdc2209481dbee109b01
                                                                                                    • Instruction Fuzzy Hash: 0751F7347005218FD7499F6AD498A2A77F6BFC9A5232981A9F046CB371EF74EC019B40
                                                                                                    Function 04A31630 Relevance: .2, Instructions: 159COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fea8fe1692f6a6e0f8945922f0055edf10e2fa09f489e4ce85d3d97b42eea80a
                                                                                                    • Instruction ID: 6a7a0a4117663d5c740c39ed672b324e41c13cc47cb8829e3ba5884d2f12d748
                                                                                                    • Opcode Fuzzy Hash: fea8fe1692f6a6e0f8945922f0055edf10e2fa09f489e4ce85d3d97b42eea80a
                                                                                                    • Instruction Fuzzy Hash: D951C271B002099FD714DF78D8506AEBBF6EFC9350B18816AE514D7360EA31ED42CBA0
                                                                                                    Function 04A30C1C Relevance: .2, Instructions: 151COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b6a288c6743ba8fbffb21852b92bf1c55a0b40228cb7dd5f74af9b0de92539c0
                                                                                                    • Instruction ID: 15492ebf98fef79d9dab8de8d2396f8030cdfbf5096d8a488d2ed8d64cbcd38c
                                                                                                    • Opcode Fuzzy Hash: b6a288c6743ba8fbffb21852b92bf1c55a0b40228cb7dd5f74af9b0de92539c0
                                                                                                    • Instruction Fuzzy Hash: F551E730B04204AFE7049F68D8547AE7FF2EF89325F158429E50AE7385DE756C468791
                                                                                                    Function 04A30E8C Relevance: .1, Instructions: 148COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a480b7a5f308e2ee121ee974085fb3b6ef1cd8ce80f23b6e26eb20c2d582070b
                                                                                                    • Instruction ID: ff005169db25ec9429593de3f8159128558054cbc28edc0196182df6782a98dc
                                                                                                    • Opcode Fuzzy Hash: a480b7a5f308e2ee121ee974085fb3b6ef1cd8ce80f23b6e26eb20c2d582070b
                                                                                                    • Instruction Fuzzy Hash: 38411931B002045BFB18ABA9986476F7BA6DFC5216F15843DF906E7381EE35BC0683A1
                                                                                                    Function 04A35482 Relevance: .1, Instructions: 147COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2b9480c2e622ac7522b3b13a09bd5fac5063b01f57d4b100b6d945081ac27cef
                                                                                                    • Instruction ID: 96e53dcd40626e0ba631db4c8dd575354301b56a5d862fffd434c3014abaaccf
                                                                                                    • Opcode Fuzzy Hash: 2b9480c2e622ac7522b3b13a09bd5fac5063b01f57d4b100b6d945081ac27cef
                                                                                                    • Instruction Fuzzy Hash: 04513C74E00209EFEB45EFA4D8686EEBB72EF88308F044518E615773A1CE356D11CBA1
                                                                                                    Function 04A3B4F7 Relevance: .1, Instructions: 146COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5bc089c95691ca190f98b65614f3a4a3bed00a2d1e2819504afdcc149cf4740b
                                                                                                    • Instruction ID: 982e4480c5bd94f47e734899c52a10bc4b964c75bb4e23256464f3cdaafe640e
                                                                                                    • Opcode Fuzzy Hash: 5bc089c95691ca190f98b65614f3a4a3bed00a2d1e2819504afdcc149cf4740b
                                                                                                    • Instruction Fuzzy Hash: 37410675A0A3819FE706DB34ACA56D97F31EF46314B0940D7D580CB2A3EE34A90BC7A5
                                                                                                    Function 04A3C4D8 Relevance: .1, Instructions: 144COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bb53d3da4c16e83de23ff171334d9bc673275a176f7bf6d8b953e939622f0dc2
                                                                                                    • Instruction ID: ab0d1457113a931587961ffdc9289dbdb07940e3277ec22310c1cf26d884d714
                                                                                                    • Opcode Fuzzy Hash: bb53d3da4c16e83de23ff171334d9bc673275a176f7bf6d8b953e939622f0dc2
                                                                                                    • Instruction Fuzzy Hash: 3351A2323047418FD725DB34D858A6ABBE2EFC9711B18C66DD54A8B662DA34FC06C790
                                                                                                    Function 04A360D9 Relevance: .1, Instructions: 143COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f540e5d6bb65dd1ad783d917da893c10688890cd4a271d8eb18bc1d0fabd2af4
                                                                                                    • Instruction ID: a9c2bdb1c142815fd3c2bcb90579019756a415b9a25287552c6c01c262cffc40
                                                                                                    • Opcode Fuzzy Hash: f540e5d6bb65dd1ad783d917da893c10688890cd4a271d8eb18bc1d0fabd2af4
                                                                                                    • Instruction Fuzzy Hash: BB51D535A00208DBFB05EFE4C860BDEBBB6EF89304F104429E6567B3A0DE356D519B91
                                                                                                    Function 04A34EC0 Relevance: .1, Instructions: 143COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 700bff5720d3df006b2b315273114c46842101e55fc4af5de776771715ab7e94
                                                                                                    • Instruction ID: 21160e0dc3b1a45c380b01e46346b972188b51a52105f2875eba87d38a4d0b05
                                                                                                    • Opcode Fuzzy Hash: 700bff5720d3df006b2b315273114c46842101e55fc4af5de776771715ab7e94
                                                                                                    • Instruction Fuzzy Hash: 8841C4307042158FEB19DF69D86466F77A3FFC92457248659E4099F385EF34EC0287A1
                                                                                                    Function 04A334A8 Relevance: .1, Instructions: 141COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 65388b140d2b270ef53f84f765922e173f1a62564ebc5696b0fb6891c3b7260e
                                                                                                    • Instruction ID: f0d3446ad4a165b4110233155d74e53b901f11f8ae58f50278bb254181e109b2
                                                                                                    • Opcode Fuzzy Hash: 65388b140d2b270ef53f84f765922e173f1a62564ebc5696b0fb6891c3b7260e
                                                                                                    • Instruction Fuzzy Hash: E0519F343002079FEB45EB28E56566EBBA7EFC47047048A29D9099B345EF71FD1A87D0
                                                                                                    Function 04A334B8 Relevance: .1, Instructions: 137COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f450fc651c3d603a547b57c0ee5f4580a3c8d8b7b196a683dd6f26beb497d8ad
                                                                                                    • Instruction ID: a540257e26251fb8e72ef6be7ba9c34aed69fb833b0383e33586848c8c038092
                                                                                                    • Opcode Fuzzy Hash: f450fc651c3d603a547b57c0ee5f4580a3c8d8b7b196a683dd6f26beb497d8ad
                                                                                                    • Instruction Fuzzy Hash: 955181343002079FEB44EB69E56566EBBA7EFC43047448A29E9099B344EF71FD1A87C4
                                                                                                    Function 04A35490 Relevance: .1, Instructions: 136COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 857d6e0bca571e166f5eeb16ccbf76c6aa02c642aeab7100ad9530bf108a2713
                                                                                                    • Instruction ID: f230bf5289e1ce0963b21550f010d717ec0e51fb59c2cedf3fe4f963636e6736
                                                                                                    • Opcode Fuzzy Hash: 857d6e0bca571e166f5eeb16ccbf76c6aa02c642aeab7100ad9530bf108a2713
                                                                                                    • Instruction Fuzzy Hash: B051FB74E00209EBEB45EFA4D8686AEBB73FF88304F544518E51577391CE356D11CBA1
                                                                                                    Function 04A3A228 Relevance: .1, Instructions: 135COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 02047a069876a6cb4485ccec8942be71837006e05fc55adfb15eae653a615cb1
                                                                                                    • Instruction ID: df11808a1c004ea361264fb78659ee28d97ec2b0ecef63062db31f669118a62f
                                                                                                    • Opcode Fuzzy Hash: 02047a069876a6cb4485ccec8942be71837006e05fc55adfb15eae653a615cb1
                                                                                                    • Instruction Fuzzy Hash: D6410734B042549FE719CF65C854B9EBBF2EF89310F248199E845BB392DA75ED02CB90
                                                                                                    Function 04A330EC Relevance: .1, Instructions: 135COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7b509f34eb30fd459689b0a00feae07ae860ef10e32ee3c881c59f1eb2fee58f
                                                                                                    • Instruction ID: 15cb6aa1bb4230afeed2d1e6b928d868d0c9dda23a79c07c35c183c8c8b37974
                                                                                                    • Opcode Fuzzy Hash: 7b509f34eb30fd459689b0a00feae07ae860ef10e32ee3c881c59f1eb2fee58f
                                                                                                    • Instruction Fuzzy Hash: 9C41EF70B08215AFEF089F79986877E7BA7EBC5615F148429F806D7385EE34EC018790
                                                                                                    Function 04A3E428 Relevance: .1, Instructions: 133COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2bb60677fe0081c569020146729be6ec52ec33a7283fcddec88bc5a3c6ba95c7
                                                                                                    • Instruction ID: afa8fde4a6383d87798f6e87bb7ac422c57fd6e32a53e00f0b3344926bfd971c
                                                                                                    • Opcode Fuzzy Hash: 2bb60677fe0081c569020146729be6ec52ec33a7283fcddec88bc5a3c6ba95c7
                                                                                                    • Instruction Fuzzy Hash: B2415E70B10215DFDB19DF65D854AAEB7B2FF88205F144429E806AB390EF34ED02CB91
                                                                                                    Function 04A3E438 Relevance: .1, Instructions: 125COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1f75b0723107281eb25f636af70c2f5ca8a3bea985f6fb315a255546f4e73073
                                                                                                    • Instruction ID: c2e6cbc20bada69ef49d674277d3d3c22dc2227801c2b91cac8e2aeb1403491d
                                                                                                    • Opcode Fuzzy Hash: 1f75b0723107281eb25f636af70c2f5ca8a3bea985f6fb315a255546f4e73073
                                                                                                    • Instruction Fuzzy Hash: 14414D70B10215DFDB19DF65D854AAEB7B2BF88345F144429E806AB390EF35EC02CB90
                                                                                                    Function 04A385B0 Relevance: .1, Instructions: 119COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a4b816318831006eeb282eac138b97116c2c147c883d22d5c2e9e735db41a7fa
                                                                                                    • Instruction ID: 7824f54a55c34c4801cbbf232c718f9841394ed551d6d8e3fbd60e4a85deec43
                                                                                                    • Opcode Fuzzy Hash: a4b816318831006eeb282eac138b97116c2c147c883d22d5c2e9e735db41a7fa
                                                                                                    • Instruction Fuzzy Hash: 72419A74A006048FDB14DF59C480A6AF7F2FF89355B15CA6DE85AAB361DB34F841CB90
                                                                                                    Function 04A3858F Relevance: .1, Instructions: 118COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 00806a7a288d394781050580426be0df3883c68c0fe6b1f16f6aa1a0ab4d58e8
                                                                                                    • Instruction ID: 4eaa48b2dcd772843c81a56def185ca1af572d3d0bba018274ae2bc482110867
                                                                                                    • Opcode Fuzzy Hash: 00806a7a288d394781050580426be0df3883c68c0fe6b1f16f6aa1a0ab4d58e8
                                                                                                    • Instruction Fuzzy Hash: A641BC75A006048FDB04DF69C080A6AF7F2FF89315B25C95DE45AAB321EB34F842CB50
                                                                                                    Function 04A3F681 Relevance: .1, Instructions: 118COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 31176425b81a9997c886c4359b5c0a95bf793ca929701517cdc74d236e7033ea
                                                                                                    • Instruction ID: 4f229eda09909523a6f3c9a8c8e60240dd1cb46bff1ab9d7b7b197ac27099464
                                                                                                    • Opcode Fuzzy Hash: 31176425b81a9997c886c4359b5c0a95bf793ca929701517cdc74d236e7033ea
                                                                                                    • Instruction Fuzzy Hash: EE41C170B042558FCB11DB38D8989AFBFF6EF99201B04449EE186CB262DA34ED06CB51
                                                                                                    Function 04A31F08 Relevance: .1, Instructions: 108COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b98e5824840d7ebff5b2e55088e2c1933c5520a021a55eaf1eb48c0ce5c6dc00
                                                                                                    • Instruction ID: bf022da06670fb97b8a04aff041c9bf463be522bf88fc300853b13bbf8c48be4
                                                                                                    • Opcode Fuzzy Hash: b98e5824840d7ebff5b2e55088e2c1933c5520a021a55eaf1eb48c0ce5c6dc00
                                                                                                    • Instruction Fuzzy Hash: 843159327082456FD714BB74B85172A7F298B81272B0A407BFA19CF296FA257C05C3B1
                                                                                                    Function 04A32268 Relevance: .1, Instructions: 106COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e5e4b1e255c92023581e04165d3b7f3fbc5a574d8f60059342359b6e65df231f
                                                                                                    • Instruction ID: 790d9ce0a455c0709a966fe1b07b6a0f9400ae60b8bf300bd1dfb9a1a16fe143
                                                                                                    • Opcode Fuzzy Hash: e5e4b1e255c92023581e04165d3b7f3fbc5a574d8f60059342359b6e65df231f
                                                                                                    • Instruction Fuzzy Hash: B3411A36B10214DFCB54DF69D98099EBBB2FF88711B10816AE905EB360EB31ED41CB90
                                                                                                    Function 04A3E1E0 Relevance: .1, Instructions: 105COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 743e8b187c82abeb9d4899e41b384f35683d597addbbbe94b23286ecb6b7a2b2
                                                                                                    • Instruction ID: 3e785f833c158125bf51f18fe8905a302334e8bdfb605495f735de77e5b32faa
                                                                                                    • Opcode Fuzzy Hash: 743e8b187c82abeb9d4899e41b384f35683d597addbbbe94b23286ecb6b7a2b2
                                                                                                    • Instruction Fuzzy Hash: CB414775E002599FCB14CFA9D5949DEBBB2FF89300F248169E805AB365EB70ED46CB40
                                                                                                    Function 04A3F6A8 Relevance: .1, Instructions: 103COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 54b85f8d096049ec1a1af315a04ba0975ce134c664fb99a0869c8abecfcbb799
                                                                                                    • Instruction ID: fea9407b937a71341a90d90a2fe84f111fd50d0e7eb330dbf458caaa7860974a
                                                                                                    • Opcode Fuzzy Hash: 54b85f8d096049ec1a1af315a04ba0975ce134c664fb99a0869c8abecfcbb799
                                                                                                    • Instruction Fuzzy Hash: 10419D70B002568FCB14DB28C898AAFBBF6EF99305B04456DE146C7362DB74EC06CB90
                                                                                                    Function 04A3B080 Relevance: .1, Instructions: 103COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9194707100a9cb86cf7fc1c221981d6ccdaacf1248e060de5207d46a0bf91970
                                                                                                    • Instruction ID: e452ffc9e8b90a84f6f58e70d57f2188b118768bff24fbd98a5ec3dc84b949f6
                                                                                                    • Opcode Fuzzy Hash: 9194707100a9cb86cf7fc1c221981d6ccdaacf1248e060de5207d46a0bf91970
                                                                                                    • Instruction Fuzzy Hash: D1319E35B011059FEB10DF69D884AAAF7AAEFC4615B18C17AE518D7356EB31FC018BA0
                                                                                                    Function 04A33719 Relevance: .1, Instructions: 92COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 43fb45f40e12f3b5b13005d2c4023a3c5dd8ef78a5897484be7b35ed6c841222
                                                                                                    • Instruction ID: 5bd49116b4b47998f7f59ea68476f5364f9f6d5e4afaaaa6b96e86193aa01813
                                                                                                    • Opcode Fuzzy Hash: 43fb45f40e12f3b5b13005d2c4023a3c5dd8ef78a5897484be7b35ed6c841222
                                                                                                    • Instruction Fuzzy Hash: B421AEB1B082556FEF08DF28985577F7BAAEFC561AF10842AF806C7295FB34E9018750
                                                                                                    Function 04A34EB2 Relevance: .1, Instructions: 91COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1754a1aa32c5e52ed05180c1babe8851c9fd99dd0e6ca7a793100588721361e3
                                                                                                    • Instruction ID: 777a701fc96b3f8018cc5edd9a1a7f99737f3fbadaeb07f64e28a480bdfda50a
                                                                                                    • Opcode Fuzzy Hash: 1754a1aa32c5e52ed05180c1babe8851c9fd99dd0e6ca7a793100588721361e3
                                                                                                    • Instruction Fuzzy Hash: D5319270700206DFEB14DF68D890A9EBBA2FFC9309B248559E9048F355EB30ED06CB91
                                                                                                    Function 04A3310C Relevance: .1, Instructions: 91COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 19a3807d48de7188fbfd85a940f61a0c482bd84205b7dd3851178ebc790d0fd0
                                                                                                    • Instruction ID: b261426faa2643f073c776e682efc407e212e4cb892ef8770bb68ea1641b64f2
                                                                                                    • Opcode Fuzzy Hash: 19a3807d48de7188fbfd85a940f61a0c482bd84205b7dd3851178ebc790d0fd0
                                                                                                    • Instruction Fuzzy Hash: 84210B3164E358BFEF01277468253EA7F54DF4237BF0580B6FE4897152EA249846C391
                                                                                                    Function 04A3C558 Relevance: .1, Instructions: 87COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1ce458224e1b30f917fe788af8b3cde7298df1b5c377a107c2d57133aa874fa0
                                                                                                    • Instruction ID: d4fb08a53ff62d3af1ab19e6aaebf689c2637c8512f45a4e4392175ee9e3ac38
                                                                                                    • Opcode Fuzzy Hash: 1ce458224e1b30f917fe788af8b3cde7298df1b5c377a107c2d57133aa874fa0
                                                                                                    • Instruction Fuzzy Hash: 463170352006428FD725DF34D898926BBF2FF897157088668E5468B762DB34FC06CB90
                                                                                                    Function 04A345C8 Relevance: .1, Instructions: 82COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6d4317bcf3df69ca946e1f613048adb4af268df2b24fbe4e0f20ef009a0510cc
                                                                                                    • Instruction ID: e139ace50c07728feb4369544f0631a4acf05ff77130a83ce47fd40901bd8103
                                                                                                    • Opcode Fuzzy Hash: 6d4317bcf3df69ca946e1f613048adb4af268df2b24fbe4e0f20ef009a0510cc
                                                                                                    • Instruction Fuzzy Hash: 0E21B0357002018FEB04EF69D45496E77E7EFCD21131984AAE649CB352EF21EC038B51
                                                                                                    Function 047AD6A4 Relevance: .1, Instructions: 75COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2208765883.00000000047AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 047AD000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_47ad000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b0c4ed90fc364be5e54922d5034695eacd6e588c112b3cd4d95d46f59124ed1f
                                                                                                    • Instruction ID: ee4853c785bafd29458de42200cacf643ab409a9967ed709e1642dc13ea131e4
                                                                                                    • Opcode Fuzzy Hash: b0c4ed90fc364be5e54922d5034695eacd6e588c112b3cd4d95d46f59124ed1f
                                                                                                    • Instruction Fuzzy Hash: C72106B5604244DFDB29DF14D9C0F26BF66FBC8314F248669E9090B746C336E466CAA1
                                                                                                    Function 04A3B598 Relevance: .1, Instructions: 75COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 68d83baec2dbfebbe954a1cda6a8f5eaa1278527a15d4158f14e6415659b41d4
                                                                                                    • Instruction ID: 4de19aa675859a8c2886572b7c4d13390cafe76a03f0dbacd6f19116cfddae0e
                                                                                                    • Opcode Fuzzy Hash: 68d83baec2dbfebbe954a1cda6a8f5eaa1278527a15d4158f14e6415659b41d4
                                                                                                    • Instruction Fuzzy Hash: 5321B334B00209CFDB54DF75D8556AAB7A6EB84301B108165E9059B352EF71F846C7A4
                                                                                                    Function 04A3B930 Relevance: .1, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 223237eed719fb104657fe1c99948d9912eac5dc0df6b3d0c68c7cfa7047748b
                                                                                                    • Instruction ID: d33e2db330ea351d317aab1089a13f7c8acf59a4dd64e0c9faab15f841bec3a2
                                                                                                    • Opcode Fuzzy Hash: 223237eed719fb104657fe1c99948d9912eac5dc0df6b3d0c68c7cfa7047748b
                                                                                                    • Instruction Fuzzy Hash: 97112E757043008FA714DA6AD490A2AB7D7EFC8669714843EE949CB356EF71FC0187A0
                                                                                                    Function 04A3AF10 Relevance: .1, Instructions: 70COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 647aecd7b7923b3077f6ae9f8a9405e8d8e5e35b822c7d29b2514984169a6d21
                                                                                                    • Instruction ID: 05468b261da1ec2addfcba5f44d6ce7d8f091ef51352ff6a60bf9f05c59d543f
                                                                                                    • Opcode Fuzzy Hash: 647aecd7b7923b3077f6ae9f8a9405e8d8e5e35b822c7d29b2514984169a6d21
                                                                                                    • Instruction Fuzzy Hash: 371130323042154FAB14ABAEA494A6BF7DAEFC8669314803AF50DC7795EF65EC014750
                                                                                                    Function 04A35F38 Relevance: .1, Instructions: 70COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5ba270e67333fc45b2d2e5cedcea8f13495c4625a9a3c9ca0acfb559de535457
                                                                                                    • Instruction ID: 75de02efef25b5060f49bcf0a7fb6792855adea00d2886de67d4037760dd156c
                                                                                                    • Opcode Fuzzy Hash: 5ba270e67333fc45b2d2e5cedcea8f13495c4625a9a3c9ca0acfb559de535457
                                                                                                    • Instruction Fuzzy Hash: 60218334B102089FE7189F69D459AAEBBF6EF88610F108059E806E73A0DF71AD018F94
                                                                                                    Function 04A34551 Relevance: .1, Instructions: 69COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 42f319cb03612eceee1caa9cfd67594aca33e3376f308ad23da0c5134eacc6f6
                                                                                                    • Instruction ID: cdd25da09cd30084fdb4e9fb0516f2e7341531ec76e7bd05da158782aefc3683
                                                                                                    • Opcode Fuzzy Hash: 42f319cb03612eceee1caa9cfd67594aca33e3376f308ad23da0c5134eacc6f6
                                                                                                    • Instruction Fuzzy Hash: 031127313006028BF711AB3CE55465E7BA7EFC9258304456EE68EDB351EF20FC028781
                                                                                                    Function 04A328F8 Relevance: .1, Instructions: 68COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 96be00a87994e0283cf84cfb2d5b6cd61d87e2117d8035a26938a7201e514f87
                                                                                                    • Instruction ID: ea42e6188f28c317b4c0a7447d36c95681acb95622a0b7df279c01f441a86db6
                                                                                                    • Opcode Fuzzy Hash: 96be00a87994e0283cf84cfb2d5b6cd61d87e2117d8035a26938a7201e514f87
                                                                                                    • Instruction Fuzzy Hash: 54115BA680F3C55FE7039B78ADA11C97F70ED1321871A00DBC180CB1A3E9245A0BC396
                                                                                                    Function 04A33A29 Relevance: .1, Instructions: 68COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 753ff3f0699b680a85258f6e7cdb49d271e685f0fdcafd22f87098cc8cfb3b74
                                                                                                    • Instruction ID: 3c8fd459f7a93620727697f135e19961d7eed151b87b3b224696d3f33ae5c245
                                                                                                    • Opcode Fuzzy Hash: 753ff3f0699b680a85258f6e7cdb49d271e685f0fdcafd22f87098cc8cfb3b74
                                                                                                    • Instruction Fuzzy Hash: 7C215730A04205AFDB04DF68D860A9DBFB2EF8C325F158025E809A7391DF75AC46CB90
                                                                                                    Function 04A330FC Relevance: .1, Instructions: 67COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a51a03895d8e06a15e4b21ba127ec2876dbd355be53a6b4b731247bdb9c910bb
                                                                                                    • Instruction ID: b7d215be7167f67227c3cfcd8ef8fbfec4cd672e60b0268e13487839a11bccca
                                                                                                    • Opcode Fuzzy Hash: a51a03895d8e06a15e4b21ba127ec2876dbd355be53a6b4b731247bdb9c910bb
                                                                                                    • Instruction Fuzzy Hash: 7E11E52070D3545BFF15267819243AE6F9A8B86629F0644BAED82DB686FD98FC0143A1
                                                                                                    Function 04A35F48 Relevance: .1, Instructions: 67COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b03f4f9db34a1a8e941b8e0bb4edac4d3464a6089a69ae17ce6ebafd6a25ce91
                                                                                                    • Instruction ID: be1387561749164938864ca8bdc8ae66449176d3fdd7d7f412f591fa4210483b
                                                                                                    • Opcode Fuzzy Hash: b03f4f9db34a1a8e941b8e0bb4edac4d3464a6089a69ae17ce6ebafd6a25ce91
                                                                                                    • Instruction Fuzzy Hash: 88216234B101089FE7189F69D455AAEBBF6EF8C610F148019E406A73A0DEB1AC01CB95
                                                                                                    Function 04A3A219 Relevance: .1, Instructions: 62COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3a75a0751e0081d8e2ae366acb7782c94735d8e14019799c153f2165aa917ccc
                                                                                                    • Instruction ID: 3620b5e299e97821be5e444c4a5f50915053b9011929165b705ff0c1810846e0
                                                                                                    • Opcode Fuzzy Hash: 3a75a0751e0081d8e2ae366acb7782c94735d8e14019799c153f2165aa917ccc
                                                                                                    • Instruction Fuzzy Hash: AB112934B002199BEB15CF95C584BDEBBF1EF88710F208059E845BB351DA71ED46CBA0
                                                                                                    Function 04A33370 Relevance: .1, Instructions: 62COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0b0c66567f8bf7b1ef2ad2adb44db11448ad2277c7038c1b3d460631b626513c
                                                                                                    • Instruction ID: d60c08a6db0f9f57cc1946253ee4eafd6c9459994bbed87282f026e0962ef598
                                                                                                    • Opcode Fuzzy Hash: 0b0c66567f8bf7b1ef2ad2adb44db11448ad2277c7038c1b3d460631b626513c
                                                                                                    • Instruction Fuzzy Hash: 82118F35B00205AFDB48AFA5A8555AFBFBAFB88740B108139F906D7344DF359D029B94
                                                                                                    Function 04A32258 Relevance: .1, Instructions: 60COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6ff0b5219047732cad29b9edf289b2eebbe2330f328d6d138f58d65c7c6649cb
                                                                                                    • Instruction ID: bb37842ad1d1eeec7362e5b0fe32734b54f96a28a34c56f37040d91cb63ed010
                                                                                                    • Opcode Fuzzy Hash: 6ff0b5219047732cad29b9edf289b2eebbe2330f328d6d138f58d65c7c6649cb
                                                                                                    • Instruction Fuzzy Hash: 07211775E112189FCB44DF69D8849DEBBB1EF4D710B10816AE815EB320EB31A942CB90
                                                                                                    Function 04A33A38 Relevance: .1, Instructions: 59COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 18ade1fbef81d32b57a430a9547ab161cf76596d45cff0ff1ef347f1cd9647e8
                                                                                                    • Instruction ID: 5925a9421f75a299c1d6138d009cc1cfc17b874ff4f12af98719fee578e1b457
                                                                                                    • Opcode Fuzzy Hash: 18ade1fbef81d32b57a430a9547ab161cf76596d45cff0ff1ef347f1cd9647e8
                                                                                                    • Instruction Fuzzy Hash: C7115730B04205AFDB04DF55D850A9EBFB6EF8C325F158025E809A7391EF75AC45CB90
                                                                                                    Function 047AD69F Relevance: .1, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2208765883.00000000047AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 047AD000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_47ad000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3cae4b0cd3d100e370b91e1018faddd2f5d18a01162e01f84f53db6b1af02fd4
                                                                                                    • Instruction ID: 3e7a3425bb43565578348e8f5deefa8d952ff49a7a47246dacdc186a9384ab93
                                                                                                    • Opcode Fuzzy Hash: 3cae4b0cd3d100e370b91e1018faddd2f5d18a01162e01f84f53db6b1af02fd4
                                                                                                    • Instruction Fuzzy Hash: 8411D3B6504284CFCB16CF10D9C4B16BF72FB84314F24C6A9D8094B756C33AE46ACBA2
                                                                                                    Function 04A3AAE0 Relevance: .1, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7436048e6f6fafc4901be1f22fccfc58cdfbec931da2c5192e373dbeed376cf7
                                                                                                    • Instruction ID: 6f49138391897b3e6bc3ae830f0d15f5f145a0f189bb189fda9938b66c36599e
                                                                                                    • Opcode Fuzzy Hash: 7436048e6f6fafc4901be1f22fccfc58cdfbec931da2c5192e373dbeed376cf7
                                                                                                    • Instruction Fuzzy Hash: FE21EA74E00219DFEB04EFA8D594AAEBBF2FF89214F504599D449A7350DB30AE40CF91
                                                                                                    Function 04A33380 Relevance: .1, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 956ae13652afbce0be456236585a18e5c7b1a4d3776e63e0be9f00f768cf5ee0
                                                                                                    • Instruction ID: 3b3ba08d382a5c25b8fc2eaac46d9e6079cadd1609c5e41a44bc0669560a8408
                                                                                                    • Opcode Fuzzy Hash: 956ae13652afbce0be456236585a18e5c7b1a4d3776e63e0be9f00f768cf5ee0
                                                                                                    • Instruction Fuzzy Hash: 2611CE35B00204AFDB44AFA6A8449BFBFAAFBC8200B108129F909D7340DE385D029B94
                                                                                                    Function 04A31378 Relevance: .1, Instructions: 55COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0a4a178b3776b561ee35f077607f0e87a86598573dd258d27fd1148b20d1d4bd
                                                                                                    • Instruction ID: 9561f52806808d18bf257b56bb6754be0d60d38499ed1c9bea974af497826a6b
                                                                                                    • Opcode Fuzzy Hash: 0a4a178b3776b561ee35f077607f0e87a86598573dd258d27fd1148b20d1d4bd
                                                                                                    • Instruction Fuzzy Hash: F12113B0D002098FDB10DFAAC884AEEFBB0FF88314F10842AD51967240D7756945CFA1
                                                                                                    Function 04A31958 Relevance: .1, Instructions: 55COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6ef553eb8797119522b8a510b089882c7442c1b5caa6abbc1fbd47810875b4dc
                                                                                                    • Instruction ID: 43c04454ba14262e42d3ce0d81d0dcb767587f76726d9924328d46363af26dbb
                                                                                                    • Opcode Fuzzy Hash: 6ef553eb8797119522b8a510b089882c7442c1b5caa6abbc1fbd47810875b4dc
                                                                                                    • Instruction Fuzzy Hash: DD116335A04215EFCB04DF64D459AA9BFB2EF8C331F164029E809A7381DF796C85CB94
                                                                                                    Function 04A31380 Relevance: .1, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4497f1dbe72c40a8dda052a2f663ecb006340c0879547b5e9a9f6bacd5676e1f
                                                                                                    • Instruction ID: 06c4f0299d4fbd4c70ea8e03f5d6e40608d4af68f1d260b519351b40bcb3968e
                                                                                                    • Opcode Fuzzy Hash: 4497f1dbe72c40a8dda052a2f663ecb006340c0879547b5e9a9f6bacd5676e1f
                                                                                                    • Instruction Fuzzy Hash: 7D11F2B0D042098FDB10DFAAC884AEEFBF4FF88314F10842AD55967240D775A905CFA1
                                                                                                    Function 04A31968 Relevance: .1, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 32586faa14315be5c6378c102db07798db1a41676a4a444dc9f3a924a982fcbd
                                                                                                    • Instruction ID: b73d49b72f415b0b87426b79c5a5e807f76d3833a221a92e3dc3c203754bc865
                                                                                                    • Opcode Fuzzy Hash: 32586faa14315be5c6378c102db07798db1a41676a4a444dc9f3a924a982fcbd
                                                                                                    • Instruction Fuzzy Hash: C5111235A04215EFC704DF54D454AA97FB6EF8C331F164029E909A7381DF79AC45CB90
                                                                                                    Function 04A346A0 Relevance: .0, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 210e651713dfcc10e6139ddadd355cf3b4c02eddc4ab00d163ea4abd890ea9da
                                                                                                    • Instruction ID: 2da9e2c00e4336d902b0eb20af4594dcc681a656c6795078d0f4ee3f7a4b610d
                                                                                                    • Opcode Fuzzy Hash: 210e651713dfcc10e6139ddadd355cf3b4c02eddc4ab00d163ea4abd890ea9da
                                                                                                    • Instruction Fuzzy Hash: 14012F35B022009FEB00DF68D08899977A5EBCD71171240DAF5498B362EB30EC03CB81
                                                                                                    Function 04A3B070 Relevance: .0, Instructions: 48COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4162ab35e8765ab1bfaf31b979eb848431a693bccffdf0bfaf48a356ef144f2c
                                                                                                    • Instruction ID: ee18673672af6202496a24db7052560f9ced41e68ea7d11bd98ba9b08db6ce18
                                                                                                    • Opcode Fuzzy Hash: 4162ab35e8765ab1bfaf31b979eb848431a693bccffdf0bfaf48a356ef144f2c
                                                                                                    • Instruction Fuzzy Hash: F801F2347042019FEB11DB65988065EFBA6EFCA24470481B9E91CC7346EB35F806C7A0
                                                                                                    Function 04A3B920 Relevance: .0, Instructions: 47COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3df4160f1c295e8af10ffb2281abcb0709bb805fb3daa256d3a0e0233d850d34
                                                                                                    • Instruction ID: 059ffa451c191249f1e4ea6753f8f572905dc54f3b3cba70363f5f4a8f85893c
                                                                                                    • Opcode Fuzzy Hash: 3df4160f1c295e8af10ffb2281abcb0709bb805fb3daa256d3a0e0233d850d34
                                                                                                    • Instruction Fuzzy Hash: E4018F713043419FE714DA2998A0B6ABBDADF89269708407AE849CB742EB21FC018760
                                                                                                    Function 04A36038 Relevance: .0, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 54e12415b89eee2e2855642507538f248db3eebc1dd1056120e415e5a6c61fc6
                                                                                                    • Instruction ID: b8cb12835947663375617755f94c58033ff53838c51c0ede4a6691b56c9260fd
                                                                                                    • Opcode Fuzzy Hash: 54e12415b89eee2e2855642507538f248db3eebc1dd1056120e415e5a6c61fc6
                                                                                                    • Instruction Fuzzy Hash: 5901C431508791DFE7319B68E41529ABFB0EF52309F04885ED086875A2E7F5A849C751
                                                                                                    Function 04A31440 Relevance: .0, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 097b5f36b6820c1d011e777dc8a8ab5ee07cb58b9c64dfa58cb4b190b2087188
                                                                                                    • Instruction ID: c7ed8fe6c37c8b945c9dc445a0d1f34a835f39e89e6c45c0e6983f345daa44ba
                                                                                                    • Opcode Fuzzy Hash: 097b5f36b6820c1d011e777dc8a8ab5ee07cb58b9c64dfa58cb4b190b2087188
                                                                                                    • Instruction Fuzzy Hash: C301DB70A193469FCB096F7894757257FA9DFC2221B0A09BEDE0DCF252FE15980583D1
                                                                                                    Function 047AD01D Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2208765883.00000000047AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 047AD000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_47ad000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9d30ddf30536f639ed65dc838fe96c9b88bff08eb337bbdd86e3a0e938a237c5
                                                                                                    • Instruction ID: 923b54aed1ebfc449e196d4bb2ed1879354d7305bcc86a4cba0fb62a95e20969
                                                                                                    • Opcode Fuzzy Hash: 9d30ddf30536f639ed65dc838fe96c9b88bff08eb337bbdd86e3a0e938a237c5
                                                                                                    • Instruction Fuzzy Hash: 4A01F7705043449AE7304F2AED84B67BF99EFC1724F188A1AED480BB42D378A805C6B1
                                                                                                    Function 04A3CB90 Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dc5a210f1dce7d7989cdcbd97f823edf7767e3a364c274b9478e56a5fadf0b62
                                                                                                    • Instruction ID: dac9180a1227199d028f4ceadd2ca03ec1c23b56bfb83ce0fdfa154ca2be8443
                                                                                                    • Opcode Fuzzy Hash: dc5a210f1dce7d7989cdcbd97f823edf7767e3a364c274b9478e56a5fadf0b62
                                                                                                    • Instruction Fuzzy Hash: 4AF06D373081144FA7048E6DBC84A2EB7AAEBD4ABA31501BAF509C3260EA61DC028690
                                                                                                    Function 04A356C2 Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9453de100d7c9bf566995f3118bf249dfc876c317b92c7841d1e0537b7885692
                                                                                                    • Instruction ID: 887fee7754fef69e0cf7f70b570111243a7e490fa8345723898c032310eec133
                                                                                                    • Opcode Fuzzy Hash: 9453de100d7c9bf566995f3118bf249dfc876c317b92c7841d1e0537b7885692
                                                                                                    • Instruction Fuzzy Hash: ED01F730604341ABF3059B75945459EBFA6EBC530C704492DD54A9B352DB61BC0A87E1
                                                                                                    Function 04A3182B Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b6b8d2341de457a670f26e1aab1f38c874c3ba435f8393c54d7325cc50bc5d9b
                                                                                                    • Instruction ID: dfe675663f9e278b0b1699d9631f840ed579d1cd279ee923ec8d5cadf2ef4a5d
                                                                                                    • Opcode Fuzzy Hash: b6b8d2341de457a670f26e1aab1f38c874c3ba435f8393c54d7325cc50bc5d9b
                                                                                                    • Instruction Fuzzy Hash: 8601F931B0421597FB18AB6885957EF7BF6DBC8705F20402DE006B7384EE716C028BD5
                                                                                                    Function 047AD007 Relevance: .0, Instructions: 44COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2208765883.00000000047AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 047AD000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_47ad000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1d20c94166c37a9894347aae13c0e1c7feb46db5b9f9c4738f6c309045bed48a
                                                                                                    • Instruction ID: 2ef77375d63b865b3b90a256218d241df3973c62fcc428115d9b3978730c315f
                                                                                                    • Opcode Fuzzy Hash: 1d20c94166c37a9894347aae13c0e1c7feb46db5b9f9c4738f6c309045bed48a
                                                                                                    • Instruction Fuzzy Hash: 5201757100E3C05FE7224B259C94B56BFB4EF43224F1D85CBD9888F693D2695849C772
                                                                                                    Function 04A346C8 Relevance: .0, Instructions: 44COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ee39a0808f0737fe4ed8a133187c72fc67fc346826726b64bb82e7cbc9cfe28e
                                                                                                    • Instruction ID: 78038bdd87f859a1db50a6ba1b7ac20fd659e36c51e73edc98e567b43362f662
                                                                                                    • Opcode Fuzzy Hash: ee39a0808f0737fe4ed8a133187c72fc67fc346826726b64bb82e7cbc9cfe28e
                                                                                                    • Instruction Fuzzy Hash: 82016275E05208AFEF04ABB8A4556ECBBB6EB88305F0040AAE409D7251EB345A468B81
                                                                                                    Function 04A3CB7F Relevance: .0, Instructions: 42COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 258f54752a6a0f46642f4f0c91ee7510463a67bf1aaa5cfe64691428be4d85b7
                                                                                                    • Instruction ID: 875177085fab1ea244a08dea7432f4f8f3e9b18138184728be5b23646cec047c
                                                                                                    • Opcode Fuzzy Hash: 258f54752a6a0f46642f4f0c91ee7510463a67bf1aaa5cfe64691428be4d85b7
                                                                                                    • Instruction Fuzzy Hash: EDF0F0323092010FE7008F2DAC9466BBBB9EF959A830600AEE448DB261DA20DC06C390
                                                                                                    Function 04A367E2 Relevance: .0, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: cad87b8f706c91e8be99593546c23256ec3c4e230d1b1dd1ba808f09ca5b0a2f
                                                                                                    • Instruction ID: 01dab7322bb55abff40364cdad4b397fd4babc86e57f60746862bdbd7001dffc
                                                                                                    • Opcode Fuzzy Hash: cad87b8f706c91e8be99593546c23256ec3c4e230d1b1dd1ba808f09ca5b0a2f
                                                                                                    • Instruction Fuzzy Hash: 6E015E70E00309EFEB44EFB8D4556DEBBB5EF85208B1085E9D544AB351EA306F098B81
                                                                                                    Function 04A36769 Relevance: .0, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8bc7c9c4b2cdec7d9e7268b263491c43b0f240bb260a3bc18f4028793119f137
                                                                                                    • Instruction ID: 8a5c4d7030bf625adf56145efe7cf9a203643317a094bb0e8ee74fbc337a1895
                                                                                                    • Opcode Fuzzy Hash: 8bc7c9c4b2cdec7d9e7268b263491c43b0f240bb260a3bc18f4028793119f137
                                                                                                    • Instruction Fuzzy Hash: 9201A275B01501EBDB20CF68C68065DF3A6FF85326B908639D0169B344EB32EC45CBC0
                                                                                                    Function 04A3E3EB Relevance: .0, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 032d0c5e7c017bfccd26d53771626bd00aeff2bed774fcdf847b6bc54acfa8e1
                                                                                                    • Instruction ID: ee64ce0bdb2f20c2408154fdf54555691fc6d75cea1cacc701a0c78f734c37eb
                                                                                                    • Opcode Fuzzy Hash: 032d0c5e7c017bfccd26d53771626bd00aeff2bed774fcdf847b6bc54acfa8e1
                                                                                                    • Instruction Fuzzy Hash: 6901F4367102118BF7019B5898553BF7763EBC8354F54851AE6096B340EF71BD1687C0
                                                                                                    Function 04A3E36A Relevance: .0, Instructions: 40COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8a1c5abf10426bccecea442d9394aa688a9192e795ff5960985bb9dd01f9c39b
                                                                                                    • Instruction ID: 41cd1f38d49d0b48ef14c03ab538bb3df14906bcd6d04a59d03367cd1c444704
                                                                                                    • Opcode Fuzzy Hash: 8a1c5abf10426bccecea442d9394aa688a9192e795ff5960985bb9dd01f9c39b
                                                                                                    • Instruction Fuzzy Hash: BBF022367002118BF7019A5888513BF3763EBC8650F98852AEA096B340EF70FC1287D0
                                                                                                    Function 04A3AF00 Relevance: .0, Instructions: 39COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8635344e5f00e0fc2ebab38eeb9515aa6d17ce2b4989bc31c2850e3fff7c572f
                                                                                                    • Instruction ID: ae02f2e6baa310d66da01a9e16818bd98d68348d2452a931da682e585336d2e4
                                                                                                    • Opcode Fuzzy Hash: 8635344e5f00e0fc2ebab38eeb9515aa6d17ce2b4989bc31c2850e3fff7c572f
                                                                                                    • Instruction Fuzzy Hash: B4F027F27083051FAB155B5A6C9059BABEAEFC9574304807AF51CC7351FE65DC0743A0
                                                                                                    Function 04A356D0 Relevance: .0, Instructions: 38COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 391d57b5f9bbe2da81898e5d71b68ac010c3666f370120550e872a9b6e79248b
                                                                                                    • Instruction ID: f435681316fd9e6bdfe8fd4d1294551bb81434aa5cedbbf3082affbecc285775
                                                                                                    • Opcode Fuzzy Hash: 391d57b5f9bbe2da81898e5d71b68ac010c3666f370120550e872a9b6e79248b
                                                                                                    • Instruction Fuzzy Hash: 08F0C230700305ABF315ABB9D4545AFBBDAEBC53187444A2CD14A9B356CFB2BC0A87E1
                                                                                                    Function 04A3576F Relevance: .0, Instructions: 38COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 92674c8878a91f9694731227ba3c23186035b0d453fc5a5251fb3c2443ca253c
                                                                                                    • Instruction ID: b6fc1ffdabd675fba1ffa35d86f9aebeee9246e5dd24b34733c7d0f4405642be
                                                                                                    • Opcode Fuzzy Hash: 92674c8878a91f9694731227ba3c23186035b0d453fc5a5251fb3c2443ca253c
                                                                                                    • Instruction Fuzzy Hash: 95F0B472600A019FF351AF2DF5955D9BB92FFC4324304C92DD64E8B665EB247C078794
                                                                                                    Function 04A36880 Relevance: .0, Instructions: 37COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a69590ecf34236c3044b7a17b0ec885028c6e48f89cef76fbc46cbb4d5ee0b16
                                                                                                    • Instruction ID: 1b35b3bb752790d4a250ea5ab149e25f16861fa18a1d7cc80df1db4c0c9e0067
                                                                                                    • Opcode Fuzzy Hash: a69590ecf34236c3044b7a17b0ec885028c6e48f89cef76fbc46cbb4d5ee0b16
                                                                                                    • Instruction Fuzzy Hash: 67F0827250E3C16FE71346389920681FFB09E9B258B0B81E7D981DB0A3C624DC47C3A3
                                                                                                    Function 04A35752 Relevance: .0, Instructions: 37COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ba0ffc4903c1d452b4e7d2fd3ccf60d7dce05fd643f7c6d87523484f84e769bb
                                                                                                    • Instruction ID: ae2841ddcaabf3e2ed04721a57898b6c406ca02e3d791640944c61e919376701
                                                                                                    • Opcode Fuzzy Hash: ba0ffc4903c1d452b4e7d2fd3ccf60d7dce05fd643f7c6d87523484f84e769bb
                                                                                                    • Instruction Fuzzy Hash: C6F02772704705AFF7026BA8A8501DDBFA6FAC1218344C42BC24E8F712EB64AC1747D1
                                                                                                    Function 04A3C4C9 Relevance: .0, Instructions: 36COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9852cf3439dd69184629847d6bee5f961d0f8c8348ee6f57d9aa3181b7c1439f
                                                                                                    • Instruction ID: 4120bb4045e3a0b70e18ac4b860f04c4421a815da9043ebba19566c3ab754837
                                                                                                    • Opcode Fuzzy Hash: 9852cf3439dd69184629847d6bee5f961d0f8c8348ee6f57d9aa3181b7c1439f
                                                                                                    • Instruction Fuzzy Hash: 9FF09E332443016BE713473498002DE3B61DFC23A1B44016AD5458F401FE61FD0A8390
                                                                                                    Function 04A367F0 Relevance: .0, Instructions: 36COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bdd28e921650bcc6bf7ad90a0c090bed43f4c8bccf6c4a6cb6b44c94699781b7
                                                                                                    • Instruction ID: 606d2734c5e9d6ef6185fe59e32ff27aed439329e9e84dae8f8482def9eb1494
                                                                                                    • Opcode Fuzzy Hash: bdd28e921650bcc6bf7ad90a0c090bed43f4c8bccf6c4a6cb6b44c94699781b7
                                                                                                    • Instruction Fuzzy Hash: 0C011270E00309EFEB44EFB8D5555DEBBBAEF84204B508598D504A7351EE307F058B80
                                                                                                    Function 04A368D1 Relevance: .0, Instructions: 36COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: af5f8d3766e0230c61a8a10163a48a2bf7d089c3b06d472f8e00a9b143425c3e
                                                                                                    • Instruction ID: 12a92099213b2026f96a6528349fc1ccf55d3cedaa0df3bf47310c0c5181f633
                                                                                                    • Opcode Fuzzy Hash: af5f8d3766e0230c61a8a10163a48a2bf7d089c3b06d472f8e00a9b143425c3e
                                                                                                    • Instruction Fuzzy Hash: 27F0B476B04246AFDB16CF58D840E8ABFF5EF89240309C0E7E948CB222E731E905CB50
                                                                                                    Function 04A357A8 Relevance: .0, Instructions: 35COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1e40404447fcdb78d5f4ccacbb7fec8e8affff9fa1e88be79bdb59ed09af2762
                                                                                                    • Instruction ID: db7a0f4696a060a90af7b5d9cd7ddb5a1c2ca12cd905fc44fc02bd9df58df083
                                                                                                    • Opcode Fuzzy Hash: 1e40404447fcdb78d5f4ccacbb7fec8e8affff9fa1e88be79bdb59ed09af2762
                                                                                                    • Instruction Fuzzy Hash: 8AF0B430304341AFE701DB3CD851A5A7BE6EFCA25430848ADE589CB222EA11EC068791
                                                                                                    Function 04A345B8 Relevance: .0, Instructions: 34COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 67827a4350c271e793f697a0f6adbbaeb3889cf11406f1a3830b58f425b4ad7a
                                                                                                    • Instruction ID: 5d90a5061b407fca74bb3c8a5d7e1acb3e2a7b8dcc0e79875cb180cf7091034d
                                                                                                    • Opcode Fuzzy Hash: 67827a4350c271e793f697a0f6adbbaeb3889cf11406f1a3830b58f425b4ad7a
                                                                                                    • Instruction Fuzzy Hash: 8FF054353042428FE7119F7CD85466E3BE2DFCA2553184569E549DB261EB21EC028751
                                                                                                    Function 04A3A369 Relevance: .0, Instructions: 34COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f0217a2ff97fc7db030877629d77f89357781c174a7fe75dc280afef2b819b89
                                                                                                    • Instruction ID: 7099621bc35f43ed5e39d1c7f057c9df4345a2ea5800092e4014f0d4df591607
                                                                                                    • Opcode Fuzzy Hash: f0217a2ff97fc7db030877629d77f89357781c174a7fe75dc280afef2b819b89
                                                                                                    • Instruction Fuzzy Hash: 51F0BB752093914FD70B4B3588182987F625F4215DB2880EAC9454B647DA339917D7D5
                                                                                                    Function 04A3C688 Relevance: .0, Instructions: 33COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 04c1e514b4441663f1df9f7cb8ac0fa0369fedbbbe33f207f629e426184aa288
                                                                                                    • Instruction ID: e779cd25e2532a8eb7241f3c4ded3e3d7951bd580f120d60972df0362a6a9ffb
                                                                                                    • Opcode Fuzzy Hash: 04c1e514b4441663f1df9f7cb8ac0fa0369fedbbbe33f207f629e426184aa288
                                                                                                    • Instruction Fuzzy Hash: 4EF0E5367002168FC708DB7ADC04466B7DAAFC86A1304A5B5EA09C7320EF71EC02C7C0
                                                                                                    Function 04A338B0 Relevance: .0, Instructions: 33COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4afb13b7a132d3afa7d77ed8dc3579c770c7b3f5bf84fe12d59c9eac2c650105
                                                                                                    • Instruction ID: 776db251406c4913d9e0f3834e3aab2f7873a022a32a255906abc1c2b828204d
                                                                                                    • Opcode Fuzzy Hash: 4afb13b7a132d3afa7d77ed8dc3579c770c7b3f5bf84fe12d59c9eac2c650105
                                                                                                    • Instruction Fuzzy Hash: 36F0652071D7591AFF2516A4562039AAF994B4675DF060077ECC2CAA86F6C4FC4583E1
                                                                                                    Function 04A31431 Relevance: .0, Instructions: 31COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2d5eebe2324431a85e555c34b78de72ccdb96030b3a22a60ee7239b0676a16a4
                                                                                                    • Instruction ID: 3be71d897e50416a3072066834daa95041b59748092138d5b2cb621b536aaa7a
                                                                                                    • Opcode Fuzzy Hash: 2d5eebe2324431a85e555c34b78de72ccdb96030b3a22a60ee7239b0676a16a4
                                                                                                    • Instruction Fuzzy Hash: 99F03074A182069EDB08AF7894757697F95EFC5631B0A0979DA0DCF292FE25984087C0
                                                                                                    Function 04A34560 Relevance: .0, Instructions: 30COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 57c5fc682a78a24f1c5db4895540b13deb193f990a6862ba954b86f94a9e267b
                                                                                                    • Instruction ID: 5b17e11366c60a822e2ed018d32607670fa7b49553658089e4cfd56da28c1368
                                                                                                    • Opcode Fuzzy Hash: 57c5fc682a78a24f1c5db4895540b13deb193f990a6862ba954b86f94a9e267b
                                                                                                    • Instruction Fuzzy Hash: 0BE022323006011BA226AAADA91865FBB9AEBC9264340493EE10DDB301EE20FC0543D8
                                                                                                    Function 04A3AB90 Relevance: .0, Instructions: 30COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a2cd582d3e1383d11279ce0c9a7657b18ff2ec7e9464ae1e954f6e7e02b7a84f
                                                                                                    • Instruction ID: 7947a658681100dc9a48c94bf80362c9a7baf33b4028732b63eb0c82a32f2a2c
                                                                                                    • Opcode Fuzzy Hash: a2cd582d3e1383d11279ce0c9a7657b18ff2ec7e9464ae1e954f6e7e02b7a84f
                                                                                                    • Instruction Fuzzy Hash: 32F0AB303043109FC3084F29A848E19BBE9EF8A326B0840FDF54ACB3A2EA24DC028340
                                                                                                    Function 04A336A9 Relevance: .0, Instructions: 30COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1210d05d7949dc2f4adee5822bcfdcc7b20778b0af691fe7a9ce4d3dbbe6f558
                                                                                                    • Instruction ID: 109cfba52cd20f68daf75e325969242de7a926c8fa139d377d615844ca3eceb8
                                                                                                    • Opcode Fuzzy Hash: 1210d05d7949dc2f4adee5822bcfdcc7b20778b0af691fe7a9ce4d3dbbe6f558
                                                                                                    • Instruction Fuzzy Hash: 8DF06570E14216DF9F44DFAC99102EEBBF0EF45255B104479D91AE7200F7309642CBD0
                                                                                                    Function 04A3C1D0 Relevance: .0, Instructions: 28COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 91279465fc83c0fd2fd1474f114d00585176d27191a96b6ecff11ef217c9c72e
                                                                                                    • Instruction ID: 9dcef2b52ddc9be866c29ff3892b71407cc8332e14d17d561d87df47a95a5d70
                                                                                                    • Opcode Fuzzy Hash: 91279465fc83c0fd2fd1474f114d00585176d27191a96b6ecff11ef217c9c72e
                                                                                                    • Instruction Fuzzy Hash: DCE092312053006BE7056768E01869E7FA6EFCA39CF04056ADD8687751DF65BC078792
                                                                                                    Function 04A36AAF Relevance: .0, Instructions: 28COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 02a025d3b95a62d7239abd4330ca05c288fff8f497c69e51032444ebc524773a
                                                                                                    • Instruction ID: ab7980d52edc1239c671071298ca4463ededa536123a61721ad349f56c78c2aa
                                                                                                    • Opcode Fuzzy Hash: 02a025d3b95a62d7239abd4330ca05c288fff8f497c69e51032444ebc524773a
                                                                                                    • Instruction Fuzzy Hash: 6FF039B16053449FE301DF98D880992BBF8EF5920470580AAE888CB362E721ED17CB91
                                                                                                    Function 04A33CC0 Relevance: .0, Instructions: 28COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 235c645e37253f99359b8b98427849369df6babe63c6b7fdf625b4ab0797a558
                                                                                                    • Instruction ID: 6496688564d5edb5070988cfce0291dc41ab832e7e6d15ae1286e4de55acf5c8
                                                                                                    • Opcode Fuzzy Hash: 235c645e37253f99359b8b98427849369df6babe63c6b7fdf625b4ab0797a558
                                                                                                    • Instruction Fuzzy Hash: A8E0203230A3901F9702167C74351BD7F26CAD6895305009FD949C73A3CE059C0743D3
                                                                                                    Function 04A3C678 Relevance: .0, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f13a72a729c7ded9a82df5e046402f62e5e2d5fd74740875a59404ee58447ca6
                                                                                                    • Instruction ID: 31d4802f9bf0c523a715665123f60a1672ead7a403cbca886bc50367387d0d1a
                                                                                                    • Opcode Fuzzy Hash: f13a72a729c7ded9a82df5e046402f62e5e2d5fd74740875a59404ee58447ca6
                                                                                                    • Instruction Fuzzy Hash: 20E026372053825BD30A57318844181FF66EE877A4708A5E2ED448B267EB31DC43C3D1
                                                                                                    Function 04A336B8 Relevance: .0, Instructions: 24COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                    • Instruction ID: fde009a631473f9ea1b2798cfda8d48381ec22e8c161533c929785393125250c
                                                                                                    • Opcode Fuzzy Hash: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                    • Instruction Fuzzy Hash: 85E01270F0421ADF8F40DFA999001AFBBF4AF48141B108569E919E7200F331AA01CBD0
                                                                                                    Function 04A33C89 Relevance: .0, Instructions: 24COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a78ea74226e2e8ec1af1f8b9899487924429b061fe68899990d4a80d2aaa70b5
                                                                                                    • Instruction ID: 7a7fe04318e0dff01e6ed848d63c6c2590ad25e6caf473c7ae64cb3707764234
                                                                                                    • Opcode Fuzzy Hash: a78ea74226e2e8ec1af1f8b9899487924429b061fe68899990d4a80d2aaa70b5
                                                                                                    • Instruction Fuzzy Hash: B7E08C3170E3D58BEF05577A75341E53F219A8259A31800FBE98BD7A13E606E8198390
                                                                                                    Function 04A33CFF Relevance: .0, Instructions: 24COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0d460c7a033fa2f87931b59dd49ec9d6144a64538d6ab1719e6774e48663d1da
                                                                                                    • Instruction ID: bce1d87f7658c482a12a4c0b28011f48cbeca2d4338634648901954b97417cbd
                                                                                                    • Opcode Fuzzy Hash: 0d460c7a033fa2f87931b59dd49ec9d6144a64538d6ab1719e6774e48663d1da
                                                                                                    • Instruction Fuzzy Hash: 26E092B19052899FDB01CF74F9562DC7FB5DB45204B2481EACC4897262DA316E428782
                                                                                                    Function 04A3AEC7 Relevance: .0, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 45ac7f930f7d53589fef37f4602cb655e79036ff52eb18060f8ae5406edfdc0b
                                                                                                    • Instruction ID: bdd84770f93f76809d3e0d9e2c5129e741490882ae9eb92fb74e37dc99bba7a9
                                                                                                    • Opcode Fuzzy Hash: 45ac7f930f7d53589fef37f4602cb655e79036ff52eb18060f8ae5406edfdc0b
                                                                                                    • Instruction Fuzzy Hash: 93E0C27230D3944FEB0A6B2428691643F61DFC6029B1948FBF1C5CB1E7DA28AC1AC365
                                                                                                    Function 04A3C1E0 Relevance: .0, Instructions: 20COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5bc1de475adbb28e88133afff529206e9d0d82a74f899e3249bb68794a0b3d5e
                                                                                                    • Instruction ID: 1fa822627a82163eec8df436bdba90a7e8ff471b51f6f2faa4d781bf0e242afa
                                                                                                    • Opcode Fuzzy Hash: 5bc1de475adbb28e88133afff529206e9d0d82a74f899e3249bb68794a0b3d5e
                                                                                                    • Instruction Fuzzy Hash: 68E0C23120031457D2147B58E00896F7BDAFBC9768B04052DE54A83700CF75BC128BD5
                                                                                                    Function 04A32998 Relevance: .0, Instructions: 20COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 519e8dbcbf0d699c261e2bf3e623b12695cb06c198bb68b3b3055a1554b6755b
                                                                                                    • Instruction ID: 8518d667fcc863ec745e36184ec6abcf30d243f6c7ae9710dde4e9257dd3662e
                                                                                                    • Opcode Fuzzy Hash: 519e8dbcbf0d699c261e2bf3e623b12695cb06c198bb68b3b3055a1554b6755b
                                                                                                    • Instruction Fuzzy Hash: 07E086711463409BE3019764FD617CA3F21DB91300F5585AAE2555F262DE65780B83DD
                                                                                                    Function 04A36AC0 Relevance: .0, Instructions: 20COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0e134adcbf6ca08e7feb0c7d5e0939d92911948b455287a7bae15b634a65bb9d
                                                                                                    • Instruction ID: 868e5a1c3d340693f63c031e30c05b17f9636fae526011a6c7e2a904d5ba0fc4
                                                                                                    • Opcode Fuzzy Hash: 0e134adcbf6ca08e7feb0c7d5e0939d92911948b455287a7bae15b634a65bb9d
                                                                                                    • Instruction Fuzzy Hash: 37E0EC753042049FE314DF5CD884C92BBE9FF992553558099E848CB312DB22FD12CB90
                                                                                                    Function 04A33CD0 Relevance: .0, Instructions: 20COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5234244180f842b6ad7e5fb5c65c14bd0510a053673caedc4463079f8c595c3a
                                                                                                    • Instruction ID: 00317da0b75fed95fc7577570f5006e651bb779ce4d9ef7eada8b13daa4347f7
                                                                                                    • Opcode Fuzzy Hash: 5234244180f842b6ad7e5fb5c65c14bd0510a053673caedc4463079f8c595c3a
                                                                                                    • Instruction Fuzzy Hash: FDD0A736300120130A04269E742847FB79FCBC9DAA314012FFA0DC3341DE56AC0643D5
                                                                                                    Function 04A346D8 Relevance: .0, Instructions: 19COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4c2ae82e8a84f35c3457dde65dd4eda46027c15224afaf50da4a24fe7dbc2fdb
                                                                                                    • Instruction ID: 339b440ea4f3e487e9ad78594394aeffae639871ba5764067daeb595bc0df6c1
                                                                                                    • Opcode Fuzzy Hash: 4c2ae82e8a84f35c3457dde65dd4eda46027c15224afaf50da4a24fe7dbc2fdb
                                                                                                    • Instruction Fuzzy Hash: F7E0B674E0420CAFCB54EFE8D4545ADBBF5EF88300F0081EAD809E7350EA345A058F81
                                                                                                    Function 04A317F0 Relevance: .0, Instructions: 19COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 37b84ed64fd6edc388b28571348ab534ff05c4571ed1e59080773248095b1a70
                                                                                                    • Instruction ID: e2edae6f3d754d8b57984263749fc89374a6e453fffbf93e5fcf7b57c26b30d4
                                                                                                    • Opcode Fuzzy Hash: 37b84ed64fd6edc388b28571348ab534ff05c4571ed1e59080773248095b1a70
                                                                                                    • Instruction Fuzzy Hash: D0D02E3226E2040FC308E7A4F80A1987F65E759020B04803FE905872A5CC610C82C3C0
                                                                                                    Function 04A33938 Relevance: .0, Instructions: 19COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7cfcb34de36ea1eafc7826f064e7fa2f6936503ee1f9153169ea1a65b3ebc01d
                                                                                                    • Instruction ID: 30d195c5a6e244bbd26a13238d582775365b756f11d23899ef053992eb2413a2
                                                                                                    • Opcode Fuzzy Hash: 7cfcb34de36ea1eafc7826f064e7fa2f6936503ee1f9153169ea1a65b3ebc01d
                                                                                                    • Instruction Fuzzy Hash: 21D0A712F4E7506BDF0513B424292D96F58CF46A25F0284FBED589B242ED78DC034381
                                                                                                    Function 04A30C0C Relevance: .0, Instructions: 17COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 83ce84e59a527ccd1e387ce54f3b8472315d9094525f8ea64d893dcd8af9cf87
                                                                                                    • Instruction ID: 0d83ade6ee4e51f2cdd8db7c27f2b0530161ddaad5758ebc24e15e5efd7e113a
                                                                                                    • Opcode Fuzzy Hash: 83ce84e59a527ccd1e387ce54f3b8472315d9094525f8ea64d893dcd8af9cf87
                                                                                                    • Instruction Fuzzy Hash: A9D0A73236511C6B52146618D85696A7BA9E794372390443BFA0183614ED607C408799
                                                                                                    Function 04A33D10 Relevance: .0, Instructions: 16COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a53684bc09af65d85c37ba3824681bbdc19d152fb48b21c9af3111b4b0411007
                                                                                                    • Instruction ID: 36851eeff7fe71c6f545af6db97c193e72befdbd50f6800e83673acd262a1da1
                                                                                                    • Opcode Fuzzy Hash: a53684bc09af65d85c37ba3824681bbdc19d152fb48b21c9af3111b4b0411007
                                                                                                    • Instruction Fuzzy Hash: 53D01771A00209EB9B40DFB8E91569EBBB9EB84204B2045EAD808E3251EE316E009B94
                                                                                                    Function 04A3E32A Relevance: .0, Instructions: 15COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b082297b24fc81b03458b1555343057431428fc81d77fce8583ec5ec660352fb
                                                                                                    • Instruction ID: a34cfad77043b0fe9ce195db89b8e5447f7999b4d07b5263c27389945790e44f
                                                                                                    • Opcode Fuzzy Hash: b082297b24fc81b03458b1555343057431428fc81d77fce8583ec5ec660352fb
                                                                                                    • Instruction Fuzzy Hash: 99E01230A0420BDBDB14DFE0C5546AF7771BB4470AF204418E402AA244EB75A506DF41
                                                                                                    Function 04A32968 Relevance: .0, Instructions: 15COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3d04d9a5baa3bf126bcec50eb06ec0533af1af302d126591a820a4124f2e194a
                                                                                                    • Instruction ID: 9ed1181eb9a8f37de6b4559f43eafa601ea33ddcf60ef11de1070bebbbccdd89
                                                                                                    • Opcode Fuzzy Hash: 3d04d9a5baa3bf126bcec50eb06ec0533af1af302d126591a820a4124f2e194a
                                                                                                    • Instruction Fuzzy Hash: CCD05E7490120ADFDB40DFB5E91295EBBF9EB44200B6086A5D404D7210EE316E008BC0
                                                                                                    Function 04A33C98 Relevance: .0, Instructions: 14COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0f855af4dbba8030519a05c3258a30ad6e699206bfa8b09e03672f750147bcbf
                                                                                                    • Instruction ID: e2c905955338eb4ad286e70e2f59474d0df241ec3ceaa042f8de34113fc1497f
                                                                                                    • Opcode Fuzzy Hash: 0f855af4dbba8030519a05c3258a30ad6e699206bfa8b09e03672f750147bcbf
                                                                                                    • Instruction Fuzzy Hash: 6AD0C9303182048B8F48DB65E565525B7A9EB88A4530088ACB80BC7342EF26F8168784
                                                                                                    Function 04A30440 Relevance: .0, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 66442605f40a450593c7884f254825e13033a69d87cfabf152b6f749402c0098
                                                                                                    • Instruction ID: 16b553e05026a978b176ba6efec741dbd38762532b6f066b99c158e4f130e525
                                                                                                    • Opcode Fuzzy Hash: 66442605f40a450593c7884f254825e13033a69d87cfabf152b6f749402c0098
                                                                                                    • Instruction Fuzzy Hash: 27C08CB3A202128BC1148748058D6EAF760FB32322B8882A6D20409001F22100538A99
                                                                                                    Function 04A346B0 Relevance: .0, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 380dac3a04c756e6b2d94f9b7f8dd16c59cd4dcc75907014493b4eafff619b72
                                                                                                    • Instruction ID: d026db80ad81af12ce8d298624bb5ba28dfbe94bbacfe7daab8eb599a26d9908
                                                                                                    • Opcode Fuzzy Hash: 380dac3a04c756e6b2d94f9b7f8dd16c59cd4dcc75907014493b4eafff619b72
                                                                                                    • Instruction Fuzzy Hash: 9BB0927090530CAF9620DA99980196AB7ACDA4AA10F0001D9E90887320DA76AD1056D1
                                                                                                    Function 04A3CAF0 Relevance: .0, Instructions: 3COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2208067283.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_4a30000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 35fcd3089713f5e8683fbbeff73e40430857826c405957af331474e7944d3ab3
                                                                                                    • Instruction ID: b80e7c0aedc138d37c2e80ec5b587235d6d61b6350747fffcfb992e17bc5193c
                                                                                                    • Opcode Fuzzy Hash: 35fcd3089713f5e8683fbbeff73e40430857826c405957af331474e7944d3ab3
                                                                                                    • Instruction Fuzzy Hash:

                                                                                                    Executed Functions

                                                                                                    Function 047950B8 Relevance: .3, Instructions: 283COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0411b4bf4f289c06843817e77ef86f0f112a7c6f5ea79e1d11452ee4915fd4e0
                                                                                                    • Instruction ID: b9e737e5331fc277ecb53a613bddc91d75fda2cfd6a1cbcdb0439393eb170326
                                                                                                    • Opcode Fuzzy Hash: 0411b4bf4f289c06843817e77ef86f0f112a7c6f5ea79e1d11452ee4915fd4e0
                                                                                                    • Instruction Fuzzy Hash: D9B16D71E00229EFDF15CFA9D98579DBBF2AF88308F148129D815AB354EB74A845CB81
                                                                                                    Function 047959A8 Relevance: .3, Instructions: 268COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bd0c25412496fcf9568584a45d9bda31efd7b779952e334048a77704226a7f3c
                                                                                                    • Instruction ID: 9970a54823485ed1a7c9efb5745dcba2f29dde52678671ab5a0fc02315e1716b
                                                                                                    • Opcode Fuzzy Hash: bd0c25412496fcf9568584a45d9bda31efd7b779952e334048a77704226a7f3c
                                                                                                    • Instruction Fuzzy Hash: B9B17C71E0021AEFDF11CFA9E88179DBBF2AF88314F148529D815AB354EB74AC45CB85
                                                                                                    Function 047950AD Relevance: .3, Instructions: 316COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 67a8fba84d5df836b7783e6e22f52c0c3d97d3c47b95ed8c3c9e62d7c485feb5
                                                                                                    • Instruction ID: bb53a8ca68cf87f21cab0396270e9e4d6cd34cb90ecfc5f957a01d525f66d87d
                                                                                                    • Opcode Fuzzy Hash: 67a8fba84d5df836b7783e6e22f52c0c3d97d3c47b95ed8c3c9e62d7c485feb5
                                                                                                    • Instruction Fuzzy Hash: 19C17A72E00229EFDF15CFA9E88479DBBF1AF48318F148529D815AB350EB74A845CB91
                                                                                                    Function 0479599C Relevance: .3, Instructions: 268COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4d972aa8f0c73528eb8e2288b3d1a5f2a767c3f1623cce8639d5a47814532569
                                                                                                    • Instruction ID: fdc5f5afb05fdb9bcef2c73984e4663fda43954df7380df666d2f6efe6c9c68d
                                                                                                    • Opcode Fuzzy Hash: 4d972aa8f0c73528eb8e2288b3d1a5f2a767c3f1623cce8639d5a47814532569
                                                                                                    • Instruction Fuzzy Hash: 63B17B72E0022AEFDF11CFA8E88179DBBF1AF49314F148129D815AB354EB74AC45CB85
                                                                                                    Function 04791080 Relevance: .2, Instructions: 212COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 75c6b279c0bd43382366d0f6c9a179770791241ede7f609fe36e7dcb13f273c8
                                                                                                    • Instruction ID: 6fbc36d392dfec0fb27846c8d713bad826cd72497ad0f836705a72b474853fa4
                                                                                                    • Opcode Fuzzy Hash: 75c6b279c0bd43382366d0f6c9a179770791241ede7f609fe36e7dcb13f273c8
                                                                                                    • Instruction Fuzzy Hash: 2B71A635B00215DBEF089B75D8546AEBBE7EFC8310F598029E9069B3A4DE75EC128750
                                                                                                    Function 04795705 Relevance: .2, Instructions: 184COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f3b48d7af76811835a2ffeeb0c6070058499d2e4f08b32c8e2a866563e9db948
                                                                                                    • Instruction ID: 952e9728749919a75865065e17cb7fbbca5ef8efec588d94e7beb78b9743a2ca
                                                                                                    • Opcode Fuzzy Hash: f3b48d7af76811835a2ffeeb0c6070058499d2e4f08b32c8e2a866563e9db948
                                                                                                    • Instruction Fuzzy Hash: 5E718B71E00219EFEF11CFA9E84479EBBF5AF48724F148529E415AB350EB34A845CF91
                                                                                                    Function 04795710 Relevance: .2, Instructions: 182COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a66a35c844676ae95c0b1770e59a8c99d5441776598ba72b9272df897afd5471
                                                                                                    • Instruction ID: b148b59437362a9de892e53699fe702ab4a61d6445266c71ba0576ddca9b0ec6
                                                                                                    • Opcode Fuzzy Hash: a66a35c844676ae95c0b1770e59a8c99d5441776598ba72b9272df897afd5471
                                                                                                    • Instruction Fuzzy Hash: 4B716D71E00219EFEF11CFA9D84479EBBF1AF88724F148529D415AB350EB34A841CF91
                                                                                                    Function 04791630 Relevance: .2, Instructions: 159COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 47ce4abf0dabeb7743698efd390bf5fe76760a8036a5852450c614fab45899ea
                                                                                                    • Instruction ID: cfdc8995c393cf79207238791ce3120d9784482f51a71308da9644e954492dcb
                                                                                                    • Opcode Fuzzy Hash: 47ce4abf0dabeb7743698efd390bf5fe76760a8036a5852450c614fab45899ea
                                                                                                    • Instruction Fuzzy Hash: BA51E231B0020A8FEB14DF79E8506AEBBFAEFC9350B54816AD505D7360DE30AC11C7A0
                                                                                                    Function 04790E8C Relevance: .2, Instructions: 154COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c5d7d0ad6f8badc30aaf20dbafa9448abcfb15d0ecc81c846bfaa583a4760cc4
                                                                                                    • Instruction ID: 2b99ac699206ef709c7c9e4ecd8b7cbd3a691c6d4884d17fd5fdfb66dd0d11a7
                                                                                                    • Opcode Fuzzy Hash: c5d7d0ad6f8badc30aaf20dbafa9448abcfb15d0ecc81c846bfaa583a4760cc4
                                                                                                    • Instruction Fuzzy Hash: 1B41E831B002057BFF18BA69A46876E77DBDFC4310F54882DD905AB385CE75BC1583A1
                                                                                                    Function 04791F08 Relevance: .1, Instructions: 116COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e9a9eb31350b03d58da82d8be80d76cd2a03041498cbecd39437a7ddd20030e4
                                                                                                    • Instruction ID: ee3d0f0c0ac8d761134da0b884cc288e6890d4bf9ba9ef5ee126874fd257cc66
                                                                                                    • Opcode Fuzzy Hash: e9a9eb31350b03d58da82d8be80d76cd2a03041498cbecd39437a7ddd20030e4
                                                                                                    • Instruction Fuzzy Hash: 6331553270934A7FEF256E35B855A6A7FAECB82250744886BD508CF356DA647C10C2B0
                                                                                                    Function 04792268 Relevance: .1, Instructions: 106COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a6f4f323e9a7439a8041ae9f22a4ff304ebae78cf79cd8feedc20982424fa714
                                                                                                    • Instruction ID: d0baae09cda5fbb269bea2e4c17b7f3a8be470d374a6f2d4106171713ace6714
                                                                                                    • Opcode Fuzzy Hash: a6f4f323e9a7439a8041ae9f22a4ff304ebae78cf79cd8feedc20982424fa714
                                                                                                    • Instruction Fuzzy Hash: 63412935B102049FCB44EF69E88099EBBF6FF89310B10816AE905EB321DB31EC41CB90
                                                                                                    Function 04790C1C Relevance: .1, Instructions: 105COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3c79ead28608d7b1cf95246311e3383de6477736427bc3e786b98b1a5946b191
                                                                                                    • Instruction ID: 29c173a5bac516d9e4618ddb480c5f2c93abe6bdd5ddf5691183d3ab0c015e39
                                                                                                    • Opcode Fuzzy Hash: 3c79ead28608d7b1cf95246311e3383de6477736427bc3e786b98b1a5946b191
                                                                                                    • Instruction Fuzzy Hash: 6E313620B043855FFF15A73568287AE3BE6DB86224F5484AEC406AB396CE756C02C3A1
                                                                                                    Function 04791073 Relevance: .1, Instructions: 74COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f457b0cb725fd5a5d2df2758401e09c7eb43eab26abc7d25c01b64d3469475bb
                                                                                                    • Instruction ID: 8c161f4a7b3f88e4ccafadbd1502ce51935e9f62fcdf0fc9b117c155e7d384c1
                                                                                                    • Opcode Fuzzy Hash: f457b0cb725fd5a5d2df2758401e09c7eb43eab26abc7d25c01b64d3469475bb
                                                                                                    • Instruction Fuzzy Hash: 00112736B00315ABFF148A69A8547BEBBEADB88250F448036D906DB345EA75ED128790
                                                                                                    Function 04792258 Relevance: .1, Instructions: 65COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 71320c935a5c58a6ca910c49fabf9ef26a9ae8a6ba39e13838381bfeb989c3c5
                                                                                                    • Instruction ID: 259b2087ac418753ed2eef94500ba1174ee9174d64978879848ed26d388315d3
                                                                                                    • Opcode Fuzzy Hash: 71320c935a5c58a6ca910c49fabf9ef26a9ae8a6ba39e13838381bfeb989c3c5
                                                                                                    • Instruction Fuzzy Hash: 98215E75E10208AFCB54EF69E88499EBBF5FF4D710B10856AE805EB321DB31AC41CB94
                                                                                                    Function 04792B18 Relevance: .1, Instructions: 64COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 285fafbb68f9408d9e14e0f5083fc1cac14939031404b8fc5740df6b69de3bb8
                                                                                                    • Instruction ID: a4210de00cc248cbaf543af539a0d3c50b3b0aacb5f0ccfd8812f6d3185daf3b
                                                                                                    • Opcode Fuzzy Hash: 285fafbb68f9408d9e14e0f5083fc1cac14939031404b8fc5740df6b69de3bb8
                                                                                                    • Instruction Fuzzy Hash: 6611A375B002149B9F85BB7D64242AE7BE69FC461571048BDC90AE7340EF34DD028BE6
                                                                                                    Function 04791958 Relevance: .1, Instructions: 59COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6b0722a3f48c76dbae81a09b70c98953ee38e42868bd699b8204feda9354a0ac
                                                                                                    • Instruction ID: 3f3f4d5826273a440aa90649568f8e74b1a0625657d6ae73268bdbe6cef933a0
                                                                                                    • Opcode Fuzzy Hash: 6b0722a3f48c76dbae81a09b70c98953ee38e42868bd699b8204feda9354a0ac
                                                                                                    • Instruction Fuzzy Hash: 31215135600255AFDB14CF64D458AE9BBBAEF8C320F158419D409AB354DFB5AC45CBA0
                                                                                                    Function 04792B08 Relevance: .1, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f7e6f3d5295d0cd76ea03771aac3c1db4e22217ec120fac7394dde3390c72f6f
                                                                                                    • Instruction ID: d22ffe0325aaf9aa117ee2c3d180496e93443c3184038375d555245b7b7de487
                                                                                                    • Opcode Fuzzy Hash: f7e6f3d5295d0cd76ea03771aac3c1db4e22217ec120fac7394dde3390c72f6f
                                                                                                    • Instruction Fuzzy Hash: 1B01A1757002559FDB54BB7864242AE7BE69BC421571408A9C809E7352FF34ED0287E1
                                                                                                    Function 04791378 Relevance: .1, Instructions: 55COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c074e79361e9d93d420e1c2ab3bf061462ac85dae627b7b01e08e5ed266b0ac2
                                                                                                    • Instruction ID: 14babcdb67c074332ef14eba88d87731e3ea6112e89da02e2a8c9d1a27be427a
                                                                                                    • Opcode Fuzzy Hash: c074e79361e9d93d420e1c2ab3bf061462ac85dae627b7b01e08e5ed266b0ac2
                                                                                                    • Instruction Fuzzy Hash: 9521EFB1D002498EDB10DFAAD484AAEBBF0FF88220F14852AD519A7240C7756905CBA1
                                                                                                    Function 04791380 Relevance: .1, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3a7e281b32a929d8ed10bc940ac6bf8a639dd7d0bbe86d5666bd25693330612c
                                                                                                    • Instruction ID: fd1e3bcd746732d51956810e271e598a804814ac9aadced1b8135b2dff162f5f
                                                                                                    • Opcode Fuzzy Hash: 3a7e281b32a929d8ed10bc940ac6bf8a639dd7d0bbe86d5666bd25693330612c
                                                                                                    • Instruction Fuzzy Hash: 4F11F2B1D042498FEB10DFAAD881AEEFBF4FF88320F54842AD51967240C7756905CFA1
                                                                                                    Function 04791440 Relevance: .1, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 76cf2cc2d13c0a3aa93f648a7fea9f27cd7cdeaa32648a1794a13b10e3bf9b70
                                                                                                    • Instruction ID: e580ef18d5e39e985605a819d352888136f53ac02c5262b44a57f9ec078cb2e7
                                                                                                    • Opcode Fuzzy Hash: 76cf2cc2d13c0a3aa93f648a7fea9f27cd7cdeaa32648a1794a13b10e3bf9b70
                                                                                                    • Instruction Fuzzy Hash: 0E01B5307193466FDB099F75A9356663FEDDFC620030948AAC50DCF262EE65AC14C7E1
                                                                                                    Function 04791968 Relevance: .1, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b01dff8f43e335612f165be811c8b2a74210abc4d77d44803c0a34bb9cb0c373
                                                                                                    • Instruction ID: c6ccb056bc3d86c598fbe697596eac0926075b5be200c56bcf760c701580124a
                                                                                                    • Opcode Fuzzy Hash: b01dff8f43e335612f165be811c8b2a74210abc4d77d44803c0a34bb9cb0c373
                                                                                                    • Instruction Fuzzy Hash: 46115431600315EFDB44DF64D455AE97BBAEF8C310F148419E409AB344DFB9AC45CBA0
                                                                                                    Function 04792A68 Relevance: .0, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 26e350fa6b3a58a36015bcb56c083e2030140b4b2d0e2ded133734e2444f1007
                                                                                                    • Instruction ID: 1382305ae8da49f71072c61437bde480b1ca68253c3f081f2ec1998198e7c921
                                                                                                    • Opcode Fuzzy Hash: 26e350fa6b3a58a36015bcb56c083e2030140b4b2d0e2ded133734e2444f1007
                                                                                                    • Instruction Fuzzy Hash: 9501A176B00205DFCB24BB79A40566D3BF5EB8571171044AAE90ADB371EA31BD429B84
                                                                                                    Function 0479182B Relevance: .0, Instructions: 47COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: abd202aa3dd85f45c1a989c3ee5cdefd6ba03b20cb18f47bca414df8d856b892
                                                                                                    • Instruction ID: 501250b23c1aa0b258567ba78a13d28f7077969f7ccf378a8aa55ddcedea73f3
                                                                                                    • Opcode Fuzzy Hash: abd202aa3dd85f45c1a989c3ee5cdefd6ba03b20cb18f47bca414df8d856b892
                                                                                                    • Instruction Fuzzy Hash: 4A01F271A0010697FF18EA68A558BAF7AE6DBC8714F54802ED005B7381CE756C019790
                                                                                                    Function 0440D006 Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2214446564.000000000440D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0440D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_440d000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5c765e9142ee1aa5cca2369b2ff820f6d9e5575cc3a16b9b7e44ccea5d6215d8
                                                                                                    • Instruction ID: 240d9552e6e5d699a79aef1b28ed898068f874645b8654be87b2a5e27be936b7
                                                                                                    • Opcode Fuzzy Hash: 5c765e9142ee1aa5cca2369b2ff820f6d9e5575cc3a16b9b7e44ccea5d6215d8
                                                                                                    • Instruction Fuzzy Hash: 8501006140E3C45EE7124B259994B52BFB4EF43224F1DC1DBD9888F2D3C2695849C772
                                                                                                    Function 0440D01D Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2214446564.000000000440D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0440D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_440d000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: db9ac84e2996388f8607d6ec862a8e41db9654d7fc04f2b0bfc88001b2522a12
                                                                                                    • Instruction ID: b91e8e8dbdb01ff408ab19b4ac4211b93fb6816840a8490902adeacf82f82080
                                                                                                    • Opcode Fuzzy Hash: db9ac84e2996388f8607d6ec862a8e41db9654d7fc04f2b0bfc88001b2522a12
                                                                                                    • Instruction Fuzzy Hash: 6201F7B19043449AEB204F65ED80B67BF98EF41368F08C53BDD4C1B2C2D379A80AC6B1
                                                                                                    Function 04792997 Relevance: .0, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3a7785846ddacc78437154a6c8ebba42134538f20d6f9f59ba68d9b5f506120b
                                                                                                    • Instruction ID: aca831dcd6d4ac639e9c03476e4f830f869f5fbe3a4528f5bc1189552bebd2cb
                                                                                                    • Opcode Fuzzy Hash: 3a7785846ddacc78437154a6c8ebba42134538f20d6f9f59ba68d9b5f506120b
                                                                                                    • Instruction Fuzzy Hash: C301D1313113419BFF25AB71A9146993F99EB4221470485BEE902DF3A3DEA1BC868391
                                                                                                    Function 04792A78 Relevance: .0, Instructions: 38COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6aae6ba959742f44fc892240c93f326949fb656ecc1314de08c6c2bcdd915ef9
                                                                                                    • Instruction ID: 4242c7013572534c6f31020c1717836f8af22feaa40a8979a2b17b16f69f42b1
                                                                                                    • Opcode Fuzzy Hash: 6aae6ba959742f44fc892240c93f326949fb656ecc1314de08c6c2bcdd915ef9
                                                                                                    • Instruction Fuzzy Hash: F0016979B10215CFCB44EF79D4056AE7BF6EB88711B10046AE90ADB360EB31AD02CB80
                                                                                                    Function 04791431 Relevance: .0, Instructions: 37COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f3808fd897bb19d5221abdb9250d5462dd0004d4494ac044b9b2ace29f877b83
                                                                                                    • Instruction ID: 204fddc743a18941d0c850eecdb8a3851b42c0a30b7e3ca549387b370750efd4
                                                                                                    • Opcode Fuzzy Hash: f3808fd897bb19d5221abdb9250d5462dd0004d4494ac044b9b2ace29f877b83
                                                                                                    • Instruction Fuzzy Hash: 1EF0A4346043069FDB099F79A4256993FDDDFC6214349486AC609CF2A1EE65AC10C7D1
                                                                                                    Function 047929A8 Relevance: .0, Instructions: 34COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dcab56449c4e11e3f824b118332993a7e0d1819e4a1e2cd84008aae5ffcf0dd2
                                                                                                    • Instruction ID: 1fd80b879506553bbdafdb572ac6d95a0b561ca024b31a807ad98a79c6788021
                                                                                                    • Opcode Fuzzy Hash: dcab56449c4e11e3f824b118332993a7e0d1819e4a1e2cd84008aae5ffcf0dd2
                                                                                                    • Instruction Fuzzy Hash: 1FF06D313103119BEB28AB75A91469A3B9AEB81304704C63DEA02CF262DFB1BC458794
                                                                                                    Function 04792A20 Relevance: .0, Instructions: 27COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 36c250f726b1c3ef17dffac29df61540c875b428556f25ac089787f4b2b4d98b
                                                                                                    • Instruction ID: dd709d2cf8c8de1504b7c5a33f7a1fc522a9ab29481e896efe3ec80807c83835
                                                                                                    • Opcode Fuzzy Hash: 36c250f726b1c3ef17dffac29df61540c875b428556f25ac089787f4b2b4d98b
                                                                                                    • Instruction Fuzzy Hash: 1FE0922230A3A05F9B262A7174141FD3BD9994262130581E6E805CA2A2DB4C9D428395
                                                                                                    Function 04792959 Relevance: .0, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f528e2fc71fc9e59e38ff77b948f61040e9f1d553db136d5863f9c3896fe3ee7
                                                                                                    • Instruction ID: 6a97dbd8d76db3735b49847dd348a758a9d82bbce8c0c61839bdb878601fb697
                                                                                                    • Opcode Fuzzy Hash: f528e2fc71fc9e59e38ff77b948f61040e9f1d553db136d5863f9c3896fe3ee7
                                                                                                    • Instruction Fuzzy Hash: C8E09A7490A34ADFCB01EBB0B9156687FF8EB4220872049EED800E7263EA302E059784
                                                                                                    Function 04795EB0 Relevance: .0, Instructions: 22COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3a06fecc1ba31935b4e9c586479bd10de382672744db41eec2ed8ce78db1fd54
                                                                                                    • Instruction ID: dc6264637e5d793baad91ebee97627ef396b0e76376e24bb590a6189028ba7f3
                                                                                                    • Opcode Fuzzy Hash: 3a06fecc1ba31935b4e9c586479bd10de382672744db41eec2ed8ce78db1fd54
                                                                                                    • Instruction Fuzzy Hash: C5E0C2332093655FCB02463CE4545553BE88B4B62471501D7E105CF3B3C552AC418385
                                                                                                    Function 04792A30 Relevance: .0, Instructions: 22COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a87c89f2d1ac5f3c812c49adea3cfddcb29ce470b76fe83aab99ea9799ff22f8
                                                                                                    • Instruction ID: 4ae9f234ca83db48a5e774bae4252479882b59ab8b187ee52a9bbbe463689e29
                                                                                                    • Opcode Fuzzy Hash: a87c89f2d1ac5f3c812c49adea3cfddcb29ce470b76fe83aab99ea9799ff22f8
                                                                                                    • Instruction Fuzzy Hash: 62D0C232305234979E2429A674046FE37CCDB416617018179E80AC6381DF8CDD4243C4
                                                                                                    Function 047917F0 Relevance: .0, Instructions: 21COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 54836db9ecb53e1b92143cbd1b67d1ef6e98710e1a33bfb435df2bbdafb220ef
                                                                                                    • Instruction ID: 7f0eb98ef1a9a443c7a8fee8c498879d289cc81d7c6e6c3a7dbdf8cda4767b1f
                                                                                                    • Opcode Fuzzy Hash: 54836db9ecb53e1b92143cbd1b67d1ef6e98710e1a33bfb435df2bbdafb220ef
                                                                                                    • Instruction Fuzzy Hash: C1E0C2332592881F8B165B10B8118E53FF99B5A12234400ABF84087362DD213C14D7D0
                                                                                                    Function 04790C48 Relevance: .0, Instructions: 18COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dd35e8d3dce14df22ed98df54e297699956b67b2e577ccc5bc311262bb252bc2
                                                                                                    • Instruction ID: 1bf4a73142d6f607ad392104ffb4f3738e3f7abee3700c44fa957989e91a63ca
                                                                                                    • Opcode Fuzzy Hash: dd35e8d3dce14df22ed98df54e297699956b67b2e577ccc5bc311262bb252bc2
                                                                                                    • Instruction Fuzzy Hash: C8D0A731311121EBD600566CE45496D3399DB49714B40046AF609CB324C992FC000688
                                                                                                    Function 04790C0C Relevance: .0, Instructions: 17COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: db2c3342458f846f1995b074e5238fbd13e285c6ad80b0b4d527b1dc0f3a607b
                                                                                                    • Instruction ID: 16554332531af16dd83c2e68f6a0ddcba015dd2054d4d734c1a18445177c08de
                                                                                                    • Opcode Fuzzy Hash: db2c3342458f846f1995b074e5238fbd13e285c6ad80b0b4d527b1dc0f3a607b
                                                                                                    • Instruction Fuzzy Hash: 19D0A7323611186B56106619E899DEA7BE9E785361350443BFD0583324DD707C109799
                                                                                                    Function 04790440 Relevance: .0, Instructions: 15COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 99c837b891365fe656d8b51cd27d6d9bad4b1df3d28c1df594ec73de58e65111
                                                                                                    • Instruction ID: b491b64e993783af75fbb0784a8a560922503996fa4153a56834534032880f7c
                                                                                                    • Opcode Fuzzy Hash: 99c837b891365fe656d8b51cd27d6d9bad4b1df3d28c1df594ec73de58e65111
                                                                                                    • Instruction Fuzzy Hash: 96D0A77A12D3C0AFCB02436425544987FF0FF6330878F8186C0848D237C225B892E772
                                                                                                    Function 04792968 Relevance: .0, Instructions: 15COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.2213718348.0000000004790000.00000040.00000800.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_4790000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: cd4e994d670f50d29d8af0892dc3dcaf12f53106c5585411804e9c63067319f8
                                                                                                    • Instruction ID: cf799b91e1c14b88eecc2fe21f2a5e3ed61bd71d5da42122205cff32f9ea22ca
                                                                                                    • Opcode Fuzzy Hash: cd4e994d670f50d29d8af0892dc3dcaf12f53106c5585411804e9c63067319f8
                                                                                                    • Instruction Fuzzy Hash: BDD05E7490120ADFDB00DFB5E90295DBBFDEB44200B2086A9D805D7220EA316E008BC0

                                                                                                    Executed Functions

                                                                                                    Function 00007FFD34210C1D Relevance: 2.1, Instructions: 2144COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c0b8edf120d1fb8eadae269ac956afe5a3a3b0acef3df1c9858fd71d2ecab889
                                                                                                    • Instruction ID: 3f63b92112c9f0f5509c3b3aa7714bdfff5a71f0e983295ce2bea9c908e7d7e5
                                                                                                    • Opcode Fuzzy Hash: c0b8edf120d1fb8eadae269ac956afe5a3a3b0acef3df1c9858fd71d2ecab889
                                                                                                    • Instruction Fuzzy Hash: D2033D74A0965D8FDBA9EB28C4A47B9B7B1FF5A304F1041F9D00DE7291CA3A6981DF10
                                                                                                    Function 00007FFD3421C922 Relevance: .5, Instructions: 458COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d430d70e0b54cb5d08811ff8c300433544762189926ea38adbc3daccedbb3ae7
                                                                                                    • Instruction ID: deba7ac2e2b76541955e61080927951c0d32b6d7cd9606e09268136af8797022
                                                                                                    • Opcode Fuzzy Hash: d430d70e0b54cb5d08811ff8c300433544762189926ea38adbc3daccedbb3ae7
                                                                                                    • Instruction Fuzzy Hash: 9EE1B474A08A8D8FEBA8DF28C8A67E977D1FF55310F04426ED84DC7291CB799944C781
                                                                                                    Function 00007FFD3421B679 Relevance: .4, Instructions: 412COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3a88e08111649a2050d6f9a02fb08851d27583489a5e45b37f5e7e0b87e97523
                                                                                                    • Instruction ID: 8f92840dadddd395740235adb5411146355e2ecaee8c682cbf8ce66ab3576e66
                                                                                                    • Opcode Fuzzy Hash: 3a88e08111649a2050d6f9a02fb08851d27583489a5e45b37f5e7e0b87e97523
                                                                                                    • Instruction Fuzzy Hash: BED1B831A08A8D4FEBA8DF28C8557E97BE1FF55310F04426EE84DC7291CB799945CB82
                                                                                                    Function 00007FFD34300000 Relevance: .3, Instructions: 349COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2274004035.00007FFD34300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34300000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34300000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fd2aea0c7a827ea2320a70e37231f3a62a712ba4e6d9caf2f2a945d43dc3cf42
                                                                                                    • Instruction ID: 192f030afffcf35d5ba017fec1540ccaa19e21122df4c0fc1da1e7a4531b4a29
                                                                                                    • Opcode Fuzzy Hash: fd2aea0c7a827ea2320a70e37231f3a62a712ba4e6d9caf2f2a945d43dc3cf42
                                                                                                    • Instruction Fuzzy Hash: D8A12B71B0DB894FE756DB2C98A56B47BE1EF57310B0502FBD58AC71A3DD28AC028342
                                                                                                    Function 00007FFD3421184E Relevance: .3, Instructions: 258COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9ea75fef349ec4526ba6993ff1531c6db79e160c0596ebbac38f3f92b7ef5282
                                                                                                    • Instruction ID: d935e76e470e6d08bde8c7e66ae13d15191bb623d97c224eb8d9303ef696c33e
                                                                                                    • Opcode Fuzzy Hash: 9ea75fef349ec4526ba6993ff1531c6db79e160c0596ebbac38f3f92b7ef5282
                                                                                                    • Instruction Fuzzy Hash: D6915B74E096598FE7A9DF6484A47B9B7B1EF4A301F1000FAD00DE7692CB3A5A81DF14
                                                                                                    Function 00007FFD34211E7E Relevance: .2, Instructions: 200COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ccfe5292665333265dc3d976633941b276f869092a2aa4b68f26ba3ed29d8192
                                                                                                    • Instruction ID: 459280e376fa953e59d7b07c35e0b80ae6bfe54edc62f1ff9e31cb9b2cedc281
                                                                                                    • Opcode Fuzzy Hash: ccfe5292665333265dc3d976633941b276f869092a2aa4b68f26ba3ed29d8192
                                                                                                    • Instruction Fuzzy Hash: 41713E34E0962D8FEBA5EB2488947B9B3B1EF5A300F1041F9D04DE3691DA3A5E81DF00
                                                                                                    Function 00007FFD34211E88 Relevance: .2, Instructions: 188COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f5f38dc0430b755d1b6e8eb4f74d6195bf5d5f5c3a58925e3401e70c3ccabaf9
                                                                                                    • Instruction ID: d77cd48c387ef49e13e6eb606c0a1e2ab53251c38c3b1533b9cf0e40c1ced793
                                                                                                    • Opcode Fuzzy Hash: f5f38dc0430b755d1b6e8eb4f74d6195bf5d5f5c3a58925e3401e70c3ccabaf9
                                                                                                    • Instruction Fuzzy Hash: 42614F34E0961D8FEBA5DA1488957B9B3B1EF5A300F1041F9D00DE7681DA7A5EC1DF50
                                                                                                    Function 00007FFD34211EB6 Relevance: .2, Instructions: 175COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4221f0ac4ac0e43b49506f86d7a6d428c44a10a9b3cb51cafca9679226f18da0
                                                                                                    • Instruction ID: 32c5384fb973ff9c0e3a479a1d932a391cbeff40017e3157d2c42945a54c8d1e
                                                                                                    • Opcode Fuzzy Hash: 4221f0ac4ac0e43b49506f86d7a6d428c44a10a9b3cb51cafca9679226f18da0
                                                                                                    • Instruction Fuzzy Hash: 06511C74E0962D8FEBA5EB2888947E9B3B1EB5A300F1041F9D00DE3251DA395EC1DF50
                                                                                                    Function 00007FFD3421673A Relevance: 4.1, Strings: 3, Instructions: 364COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: P(/4$P(/4$P(/4
                                                                                                    • API String ID: 0-2936577218
                                                                                                    • Opcode ID: 735755c917f5c170d016ac7616db804abb124005b127c16732304214e80e13c3
                                                                                                    • Instruction ID: d5365aea94c9a6d2336720640bd9c7e8546904e5e6c160774b44a6ca5c6f61ee
                                                                                                    • Opcode Fuzzy Hash: 735755c917f5c170d016ac7616db804abb124005b127c16732304214e80e13c3
                                                                                                    • Instruction Fuzzy Hash: 30C15E75A0D6CA4FE751DB6888A56AD7BE0EF17310F0801FED549DB1E3EA1DA806C780
                                                                                                    Function 00007FFD34217627 Relevance: 3.0, Strings: 2, Instructions: 479COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: E$X!4
                                                                                                    • API String ID: 0-1985302060
                                                                                                    • Opcode ID: 25b5997939eb16783347280b98fb1b18ce0790cb6da3d23a5ee28acbf262dfe2
                                                                                                    • Instruction ID: 556ad9c09bf2b063851b369f4cfa2d0c7fc9ed81b5a9c678d0c835da49d73684
                                                                                                    • Opcode Fuzzy Hash: 25b5997939eb16783347280b98fb1b18ce0790cb6da3d23a5ee28acbf262dfe2
                                                                                                    • Instruction Fuzzy Hash: 4E810862B0DA8A4FF751E7BC84A56E87BE1EF86320F0401B6D148EB1A3DD1D1847D761
                                                                                                    Function 00007FFD34300850 Relevance: 1.8, Strings: 1, Instructions: 557COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2274004035.00007FFD34300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34300000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34300000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: `e/4
                                                                                                    • API String ID: 0-1742138636
                                                                                                    • Opcode ID: ec01a56e62c4bb07e0fe031240bf55f2b4932871e509646bdb5ed4812ce48245
                                                                                                    • Instruction ID: 95a2070e8c4ccd31f97e94a70b44107a1b8ac5a5e9fb733d61206822e0f8e917
                                                                                                    • Opcode Fuzzy Hash: ec01a56e62c4bb07e0fe031240bf55f2b4932871e509646bdb5ed4812ce48245
                                                                                                    • Instruction Fuzzy Hash: C0E1E730B0CA494FE799E72C98A567577E1EF5A310B1402BED18FC72E3DD29AC428781
                                                                                                    Function 00007FFD3421596C Relevance: 1.7, Strings: 1, Instructions: 408COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: O_^
                                                                                                    • API String ID: 0-3781818083
                                                                                                    • Opcode ID: d4e4226acd3d8f5f41a85985c14567ac21b4146f9e1769c39e3257812714a1fe
                                                                                                    • Instruction ID: da1c34178b29a197fa905af9d96a3d9c6e751b8111ae20dddc86a96ebf169ba3
                                                                                                    • Opcode Fuzzy Hash: d4e4226acd3d8f5f41a85985c14567ac21b4146f9e1769c39e3257812714a1fe
                                                                                                    • Instruction Fuzzy Hash: B7C12D3BB0D6964FD365A6BC94A12E837E0DF87331B0405FBC688DB193E91D548AC7A1
                                                                                                    Function 00007FFD343004DE Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2274004035.00007FFD34300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34300000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34300000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: `>/4
                                                                                                    • API String ID: 0-121580637
                                                                                                    • Opcode ID: aa7592797b5b9a412f49ec8fae5b985704c8c06a644384b5578401137e0f2b64
                                                                                                    • Instruction ID: 389169639cfa003ef8da4b369655be66463bbe6d8556cc7432a86d3cc77df639
                                                                                                    • Opcode Fuzzy Hash: aa7592797b5b9a412f49ec8fae5b985704c8c06a644384b5578401137e0f2b64
                                                                                                    • Instruction Fuzzy Hash: 9741C521B0DB850FE796A73C589A5A57BE1EF5B21071902FBD08AC72A3E9289C46D341
                                                                                                    Function 00007FFD34210C89 Relevance: .9, Instructions: 918COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9216efdf1c2d909a02d15ed4ef6efaa97cfb9a58a6323fc555d0986b1a03fa62
                                                                                                    • Instruction ID: b06694fbda2f1b54c2e7896f94e324d90da8359114c81ab26f10fc85f79e00b4
                                                                                                    • Opcode Fuzzy Hash: 9216efdf1c2d909a02d15ed4ef6efaa97cfb9a58a6323fc555d0986b1a03fa62
                                                                                                    • Instruction Fuzzy Hash: 66722B70A1891D8FDBA9EB14C4A47B9B7A2FF59304F5041FDD00EE7295CA3AA981CF50
                                                                                                    Function 00007FFD34218265 Relevance: .4, Instructions: 447COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 63f7e42e8c8549b554d2f6b9e940c950b7e9159992dfe5649386e9e3bb20b7a7
                                                                                                    • Instruction ID: f6d6c0e48089ceacd0c21b625a0a0da2b5173888a93b489440cdc0c829bf0d24
                                                                                                    • Opcode Fuzzy Hash: 63f7e42e8c8549b554d2f6b9e940c950b7e9159992dfe5649386e9e3bb20b7a7
                                                                                                    • Instruction Fuzzy Hash: 46F1FA70A08A5D8FDB95EB68C4A4BE8B7F1FF59301F1440AAD44DE7291DB39A981DF00
                                                                                                    Function 00007FFD34212FFA Relevance: .4, Instructions: 357COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bb9b0214af956dc2fad38e042f733fd73de5b456187155fbb0237e4655ceb663
                                                                                                    • Instruction ID: 7a3564a542de1f14d6e06556663c4292ec539339e8937b0320250211fe543422
                                                                                                    • Opcode Fuzzy Hash: bb9b0214af956dc2fad38e042f733fd73de5b456187155fbb0237e4655ceb663
                                                                                                    • Instruction Fuzzy Hash: 93B1D677A1D1924AE321B7FCB8B16EA3BA4CF43239B0841B7D5CCE9093DD18548AD294
                                                                                                    Function 00007FFD34213368 Relevance: .3, Instructions: 343COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bfe9bedc4f01440f3745b4e3aad37e14ac8e5634cb0b418973f6f6a591417354
                                                                                                    • Instruction ID: 3ce30b3d35aa858fd7d6ade475ce4fcbfb8db96f10717f24ebaf098184b55188
                                                                                                    • Opcode Fuzzy Hash: bfe9bedc4f01440f3745b4e3aad37e14ac8e5634cb0b418973f6f6a591417354
                                                                                                    • Instruction Fuzzy Hash: A4B16434A0965D8FEBA4DB68C4907A8B7F1FF5A300F1041BAD10DE7281DF7A9985DB40
                                                                                                    Function 00007FFD3421D7A0 Relevance: .3, Instructions: 332COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c02664d034e5dae8d953015f90dd2c034ea25f4e2cf472e0126b5fb08b7508f2
                                                                                                    • Instruction ID: 46441362a89ff7f37c4b0ed0d6a2b8e4549db8ce63c002badc2c8e58892327bf
                                                                                                    • Opcode Fuzzy Hash: c02664d034e5dae8d953015f90dd2c034ea25f4e2cf472e0126b5fb08b7508f2
                                                                                                    • Instruction Fuzzy Hash: 69C1B474A18A5D8FDF94EF58C894BA8BBF1FF69301F1041AAD00DE7261DB35A981CB40
                                                                                                    Function 00007FFD3421C536 Relevance: .3, Instructions: 331COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0484fce867bdc43d00f426c56772ce9f686fa2d11d20b2958ff0184b6d63bcb2
                                                                                                    • Instruction ID: fee2a3721c8362004d73990ff1f23463f2dc1629fd42e83d154c85cd0cccb659
                                                                                                    • Opcode Fuzzy Hash: 0484fce867bdc43d00f426c56772ce9f686fa2d11d20b2958ff0184b6d63bcb2
                                                                                                    • Instruction Fuzzy Hash: D7B1A534608A8D4FEB69DF28C8567E93BD1FF56310F04426AE84DC7292CB799945CB82
                                                                                                    Function 00007FFD34211B2F Relevance: .3, Instructions: 251COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: eb2ffe6ae2738e29df390d70693b5ff6167a302f3f21b70844a0b0e1deb71a3c
                                                                                                    • Instruction ID: 9e660a6ab277d1d5b9c2503e94aec188be4a2835744275bb323ac5d07663c2a9
                                                                                                    • Opcode Fuzzy Hash: eb2ffe6ae2738e29df390d70693b5ff6167a302f3f21b70844a0b0e1deb71a3c
                                                                                                    • Instruction Fuzzy Hash: 81912A34A0966D8FDB65EB28C8947E9B7F1EF5A300F5040E9D04DE7291CA79AE85DF00
                                                                                                    Function 00007FFD3421E641 Relevance: .2, Instructions: 198COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fc36962bbbded7c29c2c3c2671fc498f8c1803f14d8cfebb49863a446886680d
                                                                                                    • Instruction ID: 0cbb7951ef0ce994ef91628d35dc4c9009ee0dcedaacaa6231fc204eb91669eb
                                                                                                    • Opcode Fuzzy Hash: fc36962bbbded7c29c2c3c2671fc498f8c1803f14d8cfebb49863a446886680d
                                                                                                    • Instruction Fuzzy Hash: B1612134A08A4D8FDB95EF98D8A4AFDB7F1FF5A300F1504A9D109E7291CB39A841CB50
                                                                                                    Function 00007FFD3421946C Relevance: .2, Instructions: 193COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 54d704a44ffadab45555e094194235fbf0fb55ddbab5d03489dfe8fd6ec52978
                                                                                                    • Instruction ID: d9962753b95f01828f530110e1e1f2966206fa827d0b30009ae12031d9cf597c
                                                                                                    • Opcode Fuzzy Hash: 54d704a44ffadab45555e094194235fbf0fb55ddbab5d03489dfe8fd6ec52978
                                                                                                    • Instruction Fuzzy Hash: D7517531908A1C8FDB68DB58D8557E9BBF1FB59310F1082AAD04DE3252DE35A985CF81
                                                                                                    Function 00007FFD34217DC1 Relevance: .2, Instructions: 161COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ebb7ba69623f857291f20d06931f8ec4d78e0ea85b2a635add04a712a905ae1a
                                                                                                    • Instruction ID: 1c876d07502cf72431bb2cd519e64bb12c31264a1ab4bda33146bc08aa5562d3
                                                                                                    • Opcode Fuzzy Hash: ebb7ba69623f857291f20d06931f8ec4d78e0ea85b2a635add04a712a905ae1a
                                                                                                    • Instruction Fuzzy Hash: C851A430A0DA8D9FDB55DBA8C8646EDBBF0FF9A310F0501BBD048DB192DA2D9845C751
                                                                                                    Function 00007FFD34218295 Relevance: .1, Instructions: 145COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9c93ae95182b87c7191b1afd8e9c25fc7b69e8617232f25e4095ef397a248213
                                                                                                    • Instruction ID: 94087cc4eafab7d6369a98a73e6cd0040326b2b848dc08c8c35c1b083f790d2c
                                                                                                    • Opcode Fuzzy Hash: 9c93ae95182b87c7191b1afd8e9c25fc7b69e8617232f25e4095ef397a248213
                                                                                                    • Instruction Fuzzy Hash: 45518175A09A898FEB65DB6884A56E9BBF0FF56300F0400BAC44DE7292DF3D5845DB01
                                                                                                    Function 00007FFD34217A45 Relevance: .1, Instructions: 145COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d63d9f6431d099034474e68120234b45967f296714796474be1cdff45122e4bd
                                                                                                    • Instruction ID: 23f3c82c59e88339f612e550825872cdaa2543f52a7c9dd783cd01998100ecb5
                                                                                                    • Opcode Fuzzy Hash: d63d9f6431d099034474e68120234b45967f296714796474be1cdff45122e4bd
                                                                                                    • Instruction Fuzzy Hash: 0341A374909A4D8FDB45EB68C8906ED7BF0FF5A310F04017AD149E7291DB3D9986CB50
                                                                                                    Function 00007FFD34217C51 Relevance: .1, Instructions: 125COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e6624a3ae489535c6e28d9fd7f66e3a12f5fbbff789726ccd3635ea6fc69e0df
                                                                                                    • Instruction ID: ee1426ed82ae9663afb61c3c36ff93e98796d85b1e47099ae0d30f62c7840688
                                                                                                    • Opcode Fuzzy Hash: e6624a3ae489535c6e28d9fd7f66e3a12f5fbbff789726ccd3635ea6fc69e0df
                                                                                                    • Instruction Fuzzy Hash: 0141A474A09B8D9FDB41EF68C8906E97BF0FF9A310F0401AAD408D7291D73D9986CB50
                                                                                                    Function 00007FFD3421D1F4 Relevance: .1, Instructions: 112COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2e19f55a829cdc04ea9826a09d7b6b02115554a199b0a1497a0f5177d79dac2e
                                                                                                    • Instruction ID: 9056c98cd1affdd9d8870f3ce5d7732e5c538be2542825c12c23315756acd802
                                                                                                    • Opcode Fuzzy Hash: 2e19f55a829cdc04ea9826a09d7b6b02115554a199b0a1497a0f5177d79dac2e
                                                                                                    • Instruction Fuzzy Hash: CB41C874E18A5DCFEB94EBA8C4946ACB7B1FF5A301F500079D519E7292DF39A881DB00
                                                                                                    Function 00007FFD342149F1 Relevance: .1, Instructions: 95COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0963cdd815d12505092d3dfba761fa81dfc83337fd3195084b691e89c11a1925
                                                                                                    • Instruction ID: 9ef25cdc4134b87c985049a14a910cdf7f447f2d4f5df2d5d79b5304d37877af
                                                                                                    • Opcode Fuzzy Hash: 0963cdd815d12505092d3dfba761fa81dfc83337fd3195084b691e89c11a1925
                                                                                                    • Instruction Fuzzy Hash: 5E311E3460964D8FDB94EF68C4A1BE977E2FF4A304F5545B9D00DD7286CE3AA842CB00
                                                                                                    Function 00007FFD34214EFA Relevance: .1, Instructions: 89COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3b50ea6cbb4390c20a11cfe6fff3944a4f9f123c36403b8922c432cc041096a6
                                                                                                    • Instruction ID: 794e0ec328cc3e2dc3596752f48c1b217163afc8550b7dcd4b5a2961a2332704
                                                                                                    • Opcode Fuzzy Hash: 3b50ea6cbb4390c20a11cfe6fff3944a4f9f123c36403b8922c432cc041096a6
                                                                                                    • Instruction Fuzzy Hash: BD21C476A0C6C94FD751AB68A8B15DA7BE0FF86321B0401B7E54CC7293C96C9845C751
                                                                                                    Function 00007FFD342147CD Relevance: .1, Instructions: 84COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0f9c48dc53d4278c0375e4983b6702312524be1700794a55c27a510c48994950
                                                                                                    • Instruction ID: 14f9ed1e7a88aedaebe23452b5bc74f9cb44c9b2a72749fc031b8a58c12b6f23
                                                                                                    • Opcode Fuzzy Hash: 0f9c48dc53d4278c0375e4983b6702312524be1700794a55c27a510c48994950
                                                                                                    • Instruction Fuzzy Hash: 79213B66A0E6C64BE711AF3858B52F97BE0FF53204F0500BBE56CD70D3D92AA905D381
                                                                                                    Function 00007FFD34213B7D Relevance: .1, Instructions: 78COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e5f086ac3363c3432383005e4f89fb984549a726e1af57ee6edb64da7620f79f
                                                                                                    • Instruction ID: d200023475490528d1b705c3131871543517e2923611ee01fda5f9f9386ebf2b
                                                                                                    • Opcode Fuzzy Hash: e5f086ac3363c3432383005e4f89fb984549a726e1af57ee6edb64da7620f79f
                                                                                                    • Instruction Fuzzy Hash: 8C218075E08A4C8FDB15EFA5C4916EDBBB1FF5A310F0002BAD108E7181EB799555CB41
                                                                                                    Function 00007FFD3421D132 Relevance: .1, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 94e9187c3f79b39557f96f2f7376f506cb764bde79d6b77c3ca3a235e8f88065
                                                                                                    • Instruction ID: 7172d6ffd24a4ef7ac7f2c2d8cd2bdb56c2519a761fc39b4090d1d317d158af9
                                                                                                    • Opcode Fuzzy Hash: 94e9187c3f79b39557f96f2f7376f506cb764bde79d6b77c3ca3a235e8f88065
                                                                                                    • Instruction Fuzzy Hash: 4D11A230A1891CCFDF84EBA8D494AECBBF1FF59301B140069E509E7251CA39A882CB10
                                                                                                    Function 00007FFD3421483D Relevance: .1, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5542c62caccc8b56edf4c9b108c07abbc96af6283c47fcc18a72923291e768c7
                                                                                                    • Instruction ID: 0c9e643df1f1c785424bac87c7a0cde6f2a2c1a80f90940baf889b6a8ce2cd37
                                                                                                    • Opcode Fuzzy Hash: 5542c62caccc8b56edf4c9b108c07abbc96af6283c47fcc18a72923291e768c7
                                                                                                    • Instruction Fuzzy Hash: BF110836A0C28A4BE720BFB898F52FA3BA0EF47208F0401B6E44CC6093DE299454C741
                                                                                                    Function 00007FFD34216E93 Relevance: .0, Instructions: 7COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                    • Instruction ID: 5da2dd723c7173c3a976bfad4ea7d9a9208e2cec6d6a38a55e09d5b2509441f1
                                                                                                    • Opcode Fuzzy Hash: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                    • Instruction Fuzzy Hash: 3DA00206BCA46E029444209D78920DCB244D786171BC62572EE0CD415A988F1AD65285

                                                                                                    Non-executed Functions

                                                                                                    Function 00007FFD34216E2D Relevance: 8.8, Strings: 7, Instructions: 98COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: //4$@0/4$X"/4$`-/4$h//4$p-/4$kO_^
                                                                                                    • API String ID: 0-3908680755
                                                                                                    • Opcode ID: 057e436f9d11251e6bd047d4b8e717af1e8504bd885360125927543c05ed678c
                                                                                                    • Instruction ID: 6a402cfb04649b80865f01dcd430a805c11075ee99e2a21c8e996d8d1e285d9b
                                                                                                    • Opcode Fuzzy Hash: 057e436f9d11251e6bd047d4b8e717af1e8504bd885360125927543c05ed678c
                                                                                                    • Instruction Fuzzy Hash: 0B213B4BB0E9811FE754C61C58A51AC6B90EFD3211B4842B7D249E70E7DD0FED0AD390
                                                                                                    Function 00007FFD34216EA1 Relevance: 6.3, Strings: 5, Instructions: 86COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 0,/4$`-/4$p-/4$x,/4$+/4
                                                                                                    • API String ID: 0-2944805143
                                                                                                    • Opcode ID: 1e47a9b59cdbecf272ede489788d9809b27bdf04c17f1793ac8371df1e5afc7b
                                                                                                    • Instruction ID: d76c6ed760863f132c9803088b211e777aeb1d5a49e9b1d09dea86bd688856cc
                                                                                                    • Opcode Fuzzy Hash: 1e47a9b59cdbecf272ede489788d9809b27bdf04c17f1793ac8371df1e5afc7b
                                                                                                    • Instruction Fuzzy Hash: A421D647A0F9C10FE71286585CA556CAFA0EF9360179941F7D188FA1EBA80FED0DD3A1
                                                                                                    Function 00007FFD34216F68 Relevance: 5.3, Strings: 4, Instructions: 313COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.2273689389.00007FFD34210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34210000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ffd34210000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: //4$@0/4$H./4$h//4
                                                                                                    • API String ID: 0-2410050414
                                                                                                    • Opcode ID: 4baab5f7c1b44ea853051cea896465c2fec9dac74b7f8e30d73c82be3f00b5bf
                                                                                                    • Instruction ID: ba3080da8b186ffbc0a2d98780dd5230da09a8653b2535f757bd2deccc32ef63
                                                                                                    • Opcode Fuzzy Hash: 4baab5f7c1b44ea853051cea896465c2fec9dac74b7f8e30d73c82be3f00b5bf
                                                                                                    • Instruction Fuzzy Hash: AE913866B0DE480FEB65DA6C48A52B97BE1EFD6310F04417FD04DE7196DD29AC0AC381

                                                                                                    Executed Functions

                                                                                                    Function 00007FFD342433F8 Relevance: 12.9, Strings: 10, Instructions: 404COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $54$8 54$8u34$@ 54$H 54$P 54$X 54$` 54$h 54$"54
                                                                                                    • API String ID: 0-3817720669
                                                                                                    • Opcode ID: b531d7f77be973b23ac1b830a88b82b101a60cab4e892eee0e7d7f725b5eea4b
                                                                                                    • Instruction ID: 34551998b2d0601fdb4d76173fd61506c911f03a31cbbd017f874f0be325dce7
                                                                                                    • Opcode Fuzzy Hash: b531d7f77be973b23ac1b830a88b82b101a60cab4e892eee0e7d7f725b5eea4b
                                                                                                    • Instruction Fuzzy Hash: C7D1F466B0E6C90FE7529B6C98B46E97FA0EF57214B0801F7D188D72A3DD19A805D740
                                                                                                    Function 00007FFD344419F5 Relevance: 2.1, Strings: 1, Instructions: 821COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: -_H
                                                                                                    • API String ID: 0-994599666
                                                                                                    • Opcode ID: 4555e71e66e6e5eaff78a809b8c3281a8639f9ac6b1067ac482f51dcefbf3d28
                                                                                                    • Instruction ID: e597d42ccb9b9b2158050dbf72c6aafe581827b25fd124f01cf82882c9b98a1b
                                                                                                    • Opcode Fuzzy Hash: 4555e71e66e6e5eaff78a809b8c3281a8639f9ac6b1067ac482f51dcefbf3d28
                                                                                                    • Instruction Fuzzy Hash: 3842C431718A494FEB94EB1CC4A9BB577E2FF9A300F0501BAD14EC72A6DE69AC41C741
                                                                                                    Function 00007FFD3444079D Relevance: 1.6, Strings: 1, Instructions: 368COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: p:C4
                                                                                                    • API String ID: 0-2573727669
                                                                                                    • Opcode ID: b5ba5796bf6ea2d60965bc3453722604af6541ddee596e0ebfe34be7fe63a518
                                                                                                    • Instruction ID: 44472ebc3af572a03fd5b25eea5180708030b930c0b06e199f00a0a913c0addb
                                                                                                    • Opcode Fuzzy Hash: b5ba5796bf6ea2d60965bc3453722604af6541ddee596e0ebfe34be7fe63a518
                                                                                                    • Instruction Fuzzy Hash: 3EB15922B1DA894FE7999B6C44B52797BD1EF9A310B0A00BED14DC33DBCD5CAC428381
                                                                                                    Function 00007FFD34234EAF Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: [<N_^
                                                                                                    • API String ID: 0-1903293223
                                                                                                    • Opcode ID: 9cb8400397430c2f2eb78dd4e49d9b4946e96b8560df2453b96babeb9ca1c631
                                                                                                    • Instruction ID: 8e0f2c02f03cb1935e022d907ccc65a8d927e8c6a05cab49f1f0351f26b780ed
                                                                                                    • Opcode Fuzzy Hash: 9cb8400397430c2f2eb78dd4e49d9b4946e96b8560df2453b96babeb9ca1c631
                                                                                                    • Instruction Fuzzy Hash: 18E0EC34A065098ED255AB2490B1278B671BF57300F6014B8D14DFA246CE3A9881DB54
                                                                                                    Function 00007FFD34249013 Relevance: .8, Instructions: 807COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: de91bb6f0f18387a8516b7c07706a5c6833b8d8e41769744857abb18843d759b
                                                                                                    • Instruction ID: 24e2e39b7b99e7caa09ff8eda05581bd340885185f089a64058696690cdfd65f
                                                                                                    • Opcode Fuzzy Hash: de91bb6f0f18387a8516b7c07706a5c6833b8d8e41769744857abb18843d759b
                                                                                                    • Instruction Fuzzy Hash: 04520665A0D7C64FE366C73984A96A53FE1EF53320F0401F9C58DDB2E2D92E6806DB41
                                                                                                    Function 00007FFD3423A7D3 Relevance: .4, Instructions: 426COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2b8dbc03dd51909383fc7df11f9bd69984f7fdfdb2ebf3c54a109ddb74899349
                                                                                                    • Instruction ID: cc4abfaaf8ec6eda2794364282a7b1201108c9c3905897743569fca97edaafab
                                                                                                    • Opcode Fuzzy Hash: 2b8dbc03dd51909383fc7df11f9bd69984f7fdfdb2ebf3c54a109ddb74899349
                                                                                                    • Instruction Fuzzy Hash: E3C10A57B0E5860BE72266EC68B11FD7BB4DF5323570903F7D588EE0C79C0E6406A252
                                                                                                    Function 00007FFD3424B72E Relevance: .2, Instructions: 232COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2e8be64a201d5d1618e625628282402b9fb9392e3cd75f1e463b81d211cca38c
                                                                                                    • Instruction ID: ea9b022845685cc1e2ce9a5e461ebe7bb91c1eb7018b09a470a5409bc41cccdc
                                                                                                    • Opcode Fuzzy Hash: 2e8be64a201d5d1618e625628282402b9fb9392e3cd75f1e463b81d211cca38c
                                                                                                    • Instruction Fuzzy Hash: 0C914C75E086198FEB68DB54C8A57ACBBB1FF5A300F1001B9D10DE7292DA396985DF40
                                                                                                    Function 00007FFD34230D42 Relevance: .2, Instructions: 229COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f61192e2a6b4e3883fab43bf3ffd69ba8d719fc2123255739cd1d30a71dc91b2
                                                                                                    • Instruction ID: 2c32e8cf94e71c8f3f38e3f1ec7f48c67173f8e13b242d3d5042f1908b2a25d6
                                                                                                    • Opcode Fuzzy Hash: f61192e2a6b4e3883fab43bf3ffd69ba8d719fc2123255739cd1d30a71dc91b2
                                                                                                    • Instruction Fuzzy Hash: 91813D75A0851D8FDB98DF18C8A57A9B3B2FF99304F5041ADD10EE7285CE3AA981CB10
                                                                                                    Function 00007FFD3423A015 Relevance: 11.5, Strings: 9, Instructions: 221COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @654$@654$@654$@654$pD54$D54$D54$D54$D54
                                                                                                    • API String ID: 0-3023455983
                                                                                                    • Opcode ID: fe9503cc36c887fe35931ea4c932e30e402e904fa1ee69801d60b60df8213de3
                                                                                                    • Instruction ID: 72b27ebca0c08021446b76f3f8ef73c11be2e6b62f21aa5d45a75898946fc2de
                                                                                                    • Opcode Fuzzy Hash: fe9503cc36c887fe35931ea4c932e30e402e904fa1ee69801d60b60df8213de3
                                                                                                    • Instruction Fuzzy Hash: 88612876A1CE454FE7A4EB1C84A9B62B3D1FBE6350F40053AD15EE3291CE2DF8418742
                                                                                                    Function 00007FFD342406AA Relevance: 6.7, Strings: 5, Instructions: 416COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: #4$H$HB34$`B34$d
                                                                                                    • API String ID: 0-3326537112
                                                                                                    • Opcode ID: 574999f893d0fc2db26ca5aef0bc56b63f05c7c15cc0be590a23d33a5ebce1fd
                                                                                                    • Instruction ID: 25fd4ecf67788d213e4804eccf4f79b2fa56bf9360fa98032c91d6cab53d941e
                                                                                                    • Opcode Fuzzy Hash: 574999f893d0fc2db26ca5aef0bc56b63f05c7c15cc0be590a23d33a5ebce1fd
                                                                                                    • Instruction Fuzzy Hash: 3DC13634B1CB464FE769DB1884A057577E1FF97300B1445BED68AD7292CE3AF8828B81
                                                                                                    Function 00007FFD3423E5B8 Relevance: 5.4, Strings: 4, Instructions: 398COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: #4$HB34$`B34$d
                                                                                                    • API String ID: 0-2388969351
                                                                                                    • Opcode ID: 1f675b97abcf39799f5c3919ee1a6bd9d552f56b9c0a8ff14769056e362f2c79
                                                                                                    • Instruction ID: e46e404e9bd2febb5b5d97cce4565c15942ba47ebfc59db8ae209113b82d377b
                                                                                                    • Opcode Fuzzy Hash: 1f675b97abcf39799f5c3919ee1a6bd9d552f56b9c0a8ff14769056e362f2c79
                                                                                                    • Instruction Fuzzy Hash: A7C1053071CB454FE768DB18D4A1975B3E1FF9A310B14457DD68AC3696CA3AF8838B81
                                                                                                    Function 00007FFD342471FD Relevance: 5.4, Strings: 4, Instructions: 380COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @654$@654$@654$@654
                                                                                                    • API String ID: 0-1078566704
                                                                                                    • Opcode ID: a3599924e162481d0706004901843cecdccd71fd377ffdc060f91f61a30bfcde
                                                                                                    • Instruction ID: a206fcd604d09a49aab53b04526eb22dba25c09af608becea998244375305d08
                                                                                                    • Opcode Fuzzy Hash: a3599924e162481d0706004901843cecdccd71fd377ffdc060f91f61a30bfcde
                                                                                                    • Instruction Fuzzy Hash: E2C1D175B1CF4A4FE794EB1880A5679B7D2FFD6300F40457EE49DD7292DE29A8018B02
                                                                                                    Function 00007FFD3423CCC0 Relevance: 5.3, Strings: 4, Instructions: 310COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 0P24$PP24$PP24$`C24
                                                                                                    • API String ID: 0-2402590841
                                                                                                    • Opcode ID: 9a4e56478b2781bd0cac1e93b4a6e02174b5568604008e4de47175f112293ab6
                                                                                                    • Instruction ID: 2abd954f5801074ad61c0a50b527cceefe08adfb4cb672f332ab6c3aa85e00a3
                                                                                                    • Opcode Fuzzy Hash: 9a4e56478b2781bd0cac1e93b4a6e02174b5568604008e4de47175f112293ab6
                                                                                                    • Instruction Fuzzy Hash: 06A1B066F28A4D4EEBA4EB98D4757ADB7F1FF95300F04017AD04DE7282DE2878418B41
                                                                                                    Function 00007FFD34449BF2 Relevance: 4.0, Strings: 3, Instructions: 247COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (ML4$KL4$ML4
                                                                                                    • API String ID: 0-2568605711
                                                                                                    • Opcode ID: e32ad955e72a7d92ecbc9943823b67bfc9b030c2553c15fcf8526c2854952895
                                                                                                    • Instruction ID: efcec32c901aa2a3157014e72a35de71f48ca684b6482e85b7222165fbcaf118
                                                                                                    • Opcode Fuzzy Hash: e32ad955e72a7d92ecbc9943823b67bfc9b030c2553c15fcf8526c2854952895
                                                                                                    • Instruction Fuzzy Hash: 9A617E73B0CA050BE724AA7C78A62F633D1DF97334B08027AD589CB297DD18F8479685
                                                                                                    Function 00007FFD34443D88 Relevance: 2.9, Strings: 2, Instructions: 417COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 0\24$`0D4
                                                                                                    • API String ID: 0-4094371542
                                                                                                    • Opcode ID: 039ebd01b84322d5c078c81b666f835faa5ec4091e854527f7f3d7cdc5d32e49
                                                                                                    • Instruction ID: d3cb5e89192d9af21ad458c0aa2149140d687f85f71b85426d1c73048a483c05
                                                                                                    • Opcode Fuzzy Hash: 039ebd01b84322d5c078c81b666f835faa5ec4091e854527f7f3d7cdc5d32e49
                                                                                                    • Instruction Fuzzy Hash: 6AD18962B0EA860FE7A5C72C94E52B47BD1FF96750B9900BAC14DC7397ED5CAC068341
                                                                                                    Function 00007FFD3423AAE8 Relevance: 2.9, Strings: 2, Instructions: 402COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 04$X04
                                                                                                    • API String ID: 0-419999909
                                                                                                    • Opcode ID: 0915325ee3b31be99208b3494aebba38c1c02454717952dd57d45bdf6dd1d41a
                                                                                                    • Instruction ID: 1c8eef22430720be3b82d2b255170402a4ede37d528e11396182879997ed881a
                                                                                                    • Opcode Fuzzy Hash: 0915325ee3b31be99208b3494aebba38c1c02454717952dd57d45bdf6dd1d41a
                                                                                                    • Instruction Fuzzy Hash: C5C11525B0DA4E4FEB95EF6C84B97743BE1EF5A300B0901BAE54DDB2A3DD19AC059340
                                                                                                    Function 00007FFD34445588 Relevance: 2.9, Strings: 2, Instructions: 371COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: GC4$ GC4
                                                                                                    • API String ID: 0-3069059690
                                                                                                    • Opcode ID: 9ed57a9de173b36411a4d6fb9e33594257bd026b0fa32301195a72aefaa3352d
                                                                                                    • Instruction ID: dbbe71a2e3fca8f73aba7347cac92358d270d463f15d413f7bf9a59689fbf947
                                                                                                    • Opcode Fuzzy Hash: 9ed57a9de173b36411a4d6fb9e33594257bd026b0fa32301195a72aefaa3352d
                                                                                                    • Instruction Fuzzy Hash: 0AC1A171A1CE898FEB98EB58C094BA5B7E1FF58300F514579E14EC3296DE78E881CB41
                                                                                                    Function 00007FFD34451AD6 Relevance: 2.8, Strings: 2, Instructions: 284COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: T:4$T:4
                                                                                                    • API String ID: 0-3495475692
                                                                                                    • Opcode ID: b894406695409144dee3667402a140fdba5f474ed1c6bf6e6c2fe25941843b93
                                                                                                    • Instruction ID: 6cc2d356f044eee2c2b1a1f76b626235a9ba70bf70e0048047ea48ae40b589b5
                                                                                                    • Opcode Fuzzy Hash: b894406695409144dee3667402a140fdba5f474ed1c6bf6e6c2fe25941843b93
                                                                                                    • Instruction Fuzzy Hash: 68816931B0CB490FEBA5D71894A16B57BE1EF9A310F0501FED58DC7296DE6DA806C382
                                                                                                    Function 00007FFD3423DFA1 Relevance: 2.7, Strings: 2, Instructions: 237COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: hx24$_24
                                                                                                    • API String ID: 0-1862648381
                                                                                                    • Opcode ID: 33f03e5c9d27ef8acee0b21beb7a1100eaf81c10faa367a064ca35eec4ed39f2
                                                                                                    • Instruction ID: a1c3b1a1269ae9e6e39593f1643f1612f2951ddcc54f2d85f9f968efe31337d1
                                                                                                    • Opcode Fuzzy Hash: 33f03e5c9d27ef8acee0b21beb7a1100eaf81c10faa367a064ca35eec4ed39f2
                                                                                                    • Instruction Fuzzy Hash: 16511A35B1CE494FE758EB1C94A557973E1FBA9700B10463EF08ED7292DE29EC428782
                                                                                                    Function 00007FFD34249C49 Relevance: 2.7, Strings: 2, Instructions: 225COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 0\24$8324
                                                                                                    • API String ID: 0-2173788594
                                                                                                    • Opcode ID: 92702ba71e79e5646267fb9f99f5eda4dd6d1be849841a67cd45fb9e742e65fa
                                                                                                    • Instruction ID: 7e3e7c6f868b6cb36a0c98943360c9cf4bf8d3915e93460a6df759703d9319cf
                                                                                                    • Opcode Fuzzy Hash: 92702ba71e79e5646267fb9f99f5eda4dd6d1be849841a67cd45fb9e742e65fa
                                                                                                    • Instruction Fuzzy Hash: 7261C535B1CA0A8FEBA9DB29C4A527573D1FF5B300B54047ED14ED3291DE2AB8419B41
                                                                                                    Function 00007FFD3444DD1C Relevance: 2.6, Strings: 2, Instructions: 85COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: R&4$G,_H
                                                                                                    • API String ID: 0-109901142
                                                                                                    • Opcode ID: cf8f5b634b96514a70ff3db1581a3a9f0a94d4ddf498729a6c3ca071f79a2b9d
                                                                                                    • Instruction ID: 40332509e963003e321708ca05c6f5b76bc31eeff88500db8303be8a1c25af1b
                                                                                                    • Opcode Fuzzy Hash: cf8f5b634b96514a70ff3db1581a3a9f0a94d4ddf498729a6c3ca071f79a2b9d
                                                                                                    • Instruction Fuzzy Hash: BA2105B2E09A4D5FDB55DFA8A8651FDBBB0EF5A300F01017BE109E3295CE795841C741
                                                                                                    Function 00007FFD34449D0D Relevance: 2.6, Strings: 2, Instructions: 78COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: KL4$ML4
                                                                                                    • API String ID: 0-4023820121
                                                                                                    • Opcode ID: 112ce04d14729f5990c5e3efadfb1c7f6e0e1b31ee79ad9ca27175d03bb792f8
                                                                                                    • Instruction ID: 434b5e49530d760c842e4a414cff0708270f2d918d3e200762e82071dbad292b
                                                                                                    • Opcode Fuzzy Hash: 112ce04d14729f5990c5e3efadfb1c7f6e0e1b31ee79ad9ca27175d03bb792f8
                                                                                                    • Instruction Fuzzy Hash: 34110671B0CE060BEF98DA1CA4A26B573D2EFD6360B05017DD54AC734AD929FC429BC0
                                                                                                    Function 00007FFD342443F7 Relevance: 1.7, Strings: 1, Instructions: 452COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: d
                                                                                                    • API String ID: 0-2564639436
                                                                                                    • Opcode ID: a156d3e7f3a4756bd604b329274f2a972efb5f65ebf595d321b8a8055edcc312
                                                                                                    • Instruction ID: 96fc549b62128293c57e7b114c6a9abb49a14cb86ffbc7f1d24cd0e8ea60f1e6
                                                                                                    • Opcode Fuzzy Hash: a156d3e7f3a4756bd604b329274f2a972efb5f65ebf595d321b8a8055edcc312
                                                                                                    • Instruction Fuzzy Hash: 8ED10334B1CB494FEB69DB188894675B7E1FFAA300F1405BED14ED3292DE39E8428781
                                                                                                    Function 00007FFD3423D250 Relevance: 1.7, Strings: 1, Instructions: 450COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: `C24
                                                                                                    • API String ID: 0-2759506754
                                                                                                    • Opcode ID: 0e339adb1ba34d8af50a0bbb94dbac2e52542986b257589607dcb89bbb9b4ee6
                                                                                                    • Instruction ID: 1a892f88b8e09b3ab7dfca1c2888c4da85b2617ac79ff9225c49686c0efe9bff
                                                                                                    • Opcode Fuzzy Hash: 0e339adb1ba34d8af50a0bbb94dbac2e52542986b257589607dcb89bbb9b4ee6
                                                                                                    • Instruction Fuzzy Hash: EED19B26B2C1930AE328627C64E11FD37A4EF93315F19457AD5CBE60C3FD1EA4879290
                                                                                                    Function 00007FFD3423D9E9 Relevance: 1.7, Strings: 1, Instructions: 439COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: h"34
                                                                                                    • API String ID: 0-834667515
                                                                                                    • Opcode ID: 472cff1f0d0e6bf34ee4f947062ae561767a801a76faad286d77998837aaa57b
                                                                                                    • Instruction ID: fbdeaf0bf510c50b3bdaa971a484cff17c76c0d4627202697f20ab5275f43a2f
                                                                                                    • Opcode Fuzzy Hash: 472cff1f0d0e6bf34ee4f947062ae561767a801a76faad286d77998837aaa57b
                                                                                                    • Instruction Fuzzy Hash: 0AD1263171CB494FDB94DA18D4A56A5B7F1FFA6310F04067ED04DCB292DE2AE846C782
                                                                                                    Function 00007FFD34243BA8 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: d
                                                                                                    • API String ID: 0-2564639436
                                                                                                    • Opcode ID: 76c3d6f9836b84d1bd05ede4e656a8f32406935d2c1bf48b39c60989210a4c1d
                                                                                                    • Instruction ID: 35293b4655452d84770641eb6062ec32bacb2b00e27e87ce32f514214f4bc9c5
                                                                                                    • Opcode Fuzzy Hash: 76c3d6f9836b84d1bd05ede4e656a8f32406935d2c1bf48b39c60989210a4c1d
                                                                                                    • Instruction Fuzzy Hash: A9C1FE30B1CB454FE768DB08C895535B3E1FF9A310B104A7DD18AC3696DE3AF8428B81
                                                                                                    Function 00007FFD34243B28 Relevance: 1.6, Strings: 1, Instructions: 365COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: d
                                                                                                    • API String ID: 0-2564639436
                                                                                                    • Opcode ID: 51935279e36bcb83412cbd111b578e4f9e8525eb366134364425c554073d3401
                                                                                                    • Instruction ID: 1fda98b0c6875dadc0d668d5bf1671e7b739288fa605f4d72891675a55d062a0
                                                                                                    • Opcode Fuzzy Hash: 51935279e36bcb83412cbd111b578e4f9e8525eb366134364425c554073d3401
                                                                                                    • Instruction Fuzzy Hash: B7B12235B18B454FD728EB4CD8915B6B3E0FF96324B14467ED18AC3252DE3AF8428B81
                                                                                                    Function 00007FFD3444C49F Relevance: 1.6, Strings: 1, Instructions: 352COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: H
                                                                                                    • API String ID: 0-2852464175
                                                                                                    • Opcode ID: ef04508dce7c43463834b8e56fca1ba3b7511fd0b7a23fb2a9b68b321a9e19a7
                                                                                                    • Instruction ID: 317e2f0042bb1b597111adca82e71d3b75f4352a93778589d07431264bc03c70
                                                                                                    • Opcode Fuzzy Hash: ef04508dce7c43463834b8e56fca1ba3b7511fd0b7a23fb2a9b68b321a9e19a7
                                                                                                    • Instruction Fuzzy Hash: F8A13621B0DECA4FEB659B6854A55B97BE0EF56310B0A41FFD04DC72D7DE6CA8068340
                                                                                                    Function 00007FFD34245B80 Relevance: 1.6, Strings: 1, Instructions: 313COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: L_H
                                                                                                    • API String ID: 0-402390507
                                                                                                    • Opcode ID: 9fb2d14e75f2dbf7c78bb4765f64c2367a8380773cd81609389e1543233ae3d7
                                                                                                    • Instruction ID: fb549c765282159d2b539287ff55108645c8a1a4f2b1c59fd2ea931cc3d7dc0a
                                                                                                    • Opcode Fuzzy Hash: 9fb2d14e75f2dbf7c78bb4765f64c2367a8380773cd81609389e1543233ae3d7
                                                                                                    • Instruction Fuzzy Hash: D7811257F0ED1A8FF7E6961C54A827423C1EFAB691B2000B7D6CDD33A5DD1EAC865280
                                                                                                    Function 00007FFD3423DE20 Relevance: 1.5, Strings: 1, Instructions: 288COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: _24
                                                                                                    • API String ID: 0-2155595839
                                                                                                    • Opcode ID: 169507b7573f479b78793be422fcca725761c2e0731d52acb23d94897488d55b
                                                                                                    • Instruction ID: 5c80858997564b2102182956715cd4456b47363d4e7108cb50ff36f79bc60ccf
                                                                                                    • Opcode Fuzzy Hash: 169507b7573f479b78793be422fcca725761c2e0731d52acb23d94897488d55b
                                                                                                    • Instruction Fuzzy Hash: C6716A31B1CA894FE759EB2C94A55757BF1EFA6310B0001BFE489C71A3DE29A846C381
                                                                                                    Function 00007FFD3423F2D2 Relevance: 1.5, Strings: 1, Instructions: 285COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: /X_H
                                                                                                    • API String ID: 0-4271806277
                                                                                                    • Opcode ID: a57cfd0eb50fdc519b78dae0b52108f9abe1afaca96a7eb5c5bd415fc1d6bdb1
                                                                                                    • Instruction ID: 7477aa1d21fb99688e7d20adbe3c84b71bf57f72b84b64f554c3d7af4b98e77e
                                                                                                    • Opcode Fuzzy Hash: a57cfd0eb50fdc519b78dae0b52108f9abe1afaca96a7eb5c5bd415fc1d6bdb1
                                                                                                    • Instruction Fuzzy Hash: 83A19575E1855D8FEBA8EB28D8A87EC77B1FF55340F0001BAD50DE7192DE3969828B00
                                                                                                    Function 00007FFD34453351 Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: o2_H
                                                                                                    • API String ID: 0-550142350
                                                                                                    • Opcode ID: c620cea75ba76bdccae065ca17cb2a9c698536e0c936b11b16c86d121290fff9
                                                                                                    • Instruction ID: c7ae659987e7419bb0e5956baee5b8379aa6b75d8a48bec66de78a3ed0a2852e
                                                                                                    • Opcode Fuzzy Hash: c620cea75ba76bdccae065ca17cb2a9c698536e0c936b11b16c86d121290fff9
                                                                                                    • Instruction Fuzzy Hash: CC91C671B0DA4A4FDF85DF6884A59A97BE1FF6A300B4500FAE049C7296DE6CEC42C741
                                                                                                    Function 00007FFD344430F2 Relevance: 1.5, Strings: 1, Instructions: 263COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: pCC4
                                                                                                    • API String ID: 0-3259475050
                                                                                                    • Opcode ID: 9cc955e3e2df2a1d81104fd53c15964319fea65687f146a6a5ecc0622c9864b4
                                                                                                    • Instruction ID: 5e8f6414ac206218af147b7f0c7126f9819fef5449b376b2b36a2bb01c1bf355
                                                                                                    • Opcode Fuzzy Hash: 9cc955e3e2df2a1d81104fd53c15964319fea65687f146a6a5ecc0622c9864b4
                                                                                                    • Instruction Fuzzy Hash: 4171B131B089094FEF94EB6CD4A9BB977E1FF59710B81007AD14ED7296DE28EC419740
                                                                                                    Function 00007FFD344554FA Relevance: 1.5, Strings: 1, Instructions: 250COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @L4
                                                                                                    • API String ID: 0-3790683378
                                                                                                    • Opcode ID: d56568b142928e846db917f705c8671bca4f487e63270b86cc926bcd2e0bab8f
                                                                                                    • Instruction ID: b516cca8c90c3bf75bd311c97ad116e2bf7c6fffe2c440d3b6641eee1073e455
                                                                                                    • Opcode Fuzzy Hash: d56568b142928e846db917f705c8671bca4f487e63270b86cc926bcd2e0bab8f
                                                                                                    • Instruction Fuzzy Hash: 5C716F73E0D7861FEB65A67CA4B61F53BE0DF53224B0501FBD18CC709BDD29A8469241
                                                                                                    Function 00007FFD34444D29 Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: pCC4
                                                                                                    • API String ID: 0-3259475050
                                                                                                    • Opcode ID: b06cdfa00884a69c9c1893120ebf63b8b48eaca3425cd2d2ee86afe11310fd1a
                                                                                                    • Instruction ID: 69bb98258255c4e5c84bb54b4e42a16031d0f60cf416e70189fae6645aaf64c3
                                                                                                    • Opcode Fuzzy Hash: b06cdfa00884a69c9c1893120ebf63b8b48eaca3425cd2d2ee86afe11310fd1a
                                                                                                    • Instruction Fuzzy Hash: 4D51BE71B0884E4FEF94EB1CA4A96E877E1FF69314F05017AD50DE3295CE6CA842C780
                                                                                                    Function 00007FFD3444A332 Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: P_>4
                                                                                                    • API String ID: 0-3990378235
                                                                                                    • Opcode ID: 82e9441a0ca7c7c533824a8b20a890c029b564028ed440354834aded53240e6e
                                                                                                    • Instruction ID: 6540d2f294ad67553fd04fd45dca3d5578ccce288799be591efb5f0d34f8ec61
                                                                                                    • Opcode Fuzzy Hash: 82e9441a0ca7c7c533824a8b20a890c029b564028ed440354834aded53240e6e
                                                                                                    • Instruction Fuzzy Hash: AC51E262B1D94B4BFBA8965CA0A61B973C1EFA6300B45017ED58EE72D7DD6CBC029340
                                                                                                    Function 00007FFD3423D0C0 Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: ^M_^
                                                                                                    • API String ID: 0-3273950326
                                                                                                    • Opcode ID: a3ca432d7ef543776be5af94896816d39ad41d8c7b71814e8faad8ece0dc4fc4
                                                                                                    • Instruction ID: 48014b4c8016766f1b53a1c89cfdc13d403293c1a1cf52ea21eeda4e55f25cc6
                                                                                                    • Opcode Fuzzy Hash: a3ca432d7ef543776be5af94896816d39ad41d8c7b71814e8faad8ece0dc4fc4
                                                                                                    • Instruction Fuzzy Hash: 1951B477A1C7964FD312A7B8A4752E93BB4DF4323570942F7C588DE0A3E91D284AC3A1
                                                                                                    Function 00007FFD34440031 Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: h+C4
                                                                                                    • API String ID: 0-288244098
                                                                                                    • Opcode ID: f5b886523e29b3b6efd42790895b73bff664150734ebf33490b8da23b6b37146
                                                                                                    • Instruction ID: edf6366eb593cce6622460302aafed0b2e4b88f29dea127d8729e07a6f71a922
                                                                                                    • Opcode Fuzzy Hash: f5b886523e29b3b6efd42790895b73bff664150734ebf33490b8da23b6b37146
                                                                                                    • Instruction Fuzzy Hash: E0417822B0DA494FE7A9D62C28A657837D1EFA7311B0600BFD58DC7297DC5DAC129382
                                                                                                    Function 00007FFD34237441 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: >.4
                                                                                                    • API String ID: 0-2234533153
                                                                                                    • Opcode ID: e018fbbc9ea7087dc4084933d84e79b2458b370e925aaa2b01493240c7eac540
                                                                                                    • Instruction ID: ec8a6e4c03c2b67146f45420c13fbbacd9a4abb18c40e3fddb300eeb711ec70e
                                                                                                    • Opcode Fuzzy Hash: e018fbbc9ea7087dc4084933d84e79b2458b370e925aaa2b01493240c7eac540
                                                                                                    • Instruction Fuzzy Hash: D9519574E08A1D8FDF98EF58C4A5AADB7B1FF59300F5041A9D10EE7291CA35A981DF40
                                                                                                    Function 00007FFD34454C48 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: _
                                                                                                    • API String ID: 0-701932520
                                                                                                    • Opcode ID: 12434a0f92090c75c6da43660a20a32c1ec596db31820fe9aea4e797e02ca0c3
                                                                                                    • Instruction ID: f7b34392959886c6ddb70defdbe735eddb95b184e2e7bb95693231bfc75d2eb4
                                                                                                    • Opcode Fuzzy Hash: 12434a0f92090c75c6da43660a20a32c1ec596db31820fe9aea4e797e02ca0c3
                                                                                                    • Instruction Fuzzy Hash: 5E510C22B0DB8B1FEBA5CB2D58A52A53BE0EF5321471A02F6D549CB08BDD1CB8069341
                                                                                                    Function 00007FFD3423ADFA Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 04
                                                                                                    • API String ID: 0-2472179329
                                                                                                    • Opcode ID: 2c079bb2b908842bfaf4645475ddc05ac2dd04302e87177a27149f1ef26688f0
                                                                                                    • Instruction ID: d240f2a16ba2f775b4831b0164aaa6f66ccb8e1fdda5a8e5659f9074511edff1
                                                                                                    • Opcode Fuzzy Hash: 2c079bb2b908842bfaf4645475ddc05ac2dd04302e87177a27149f1ef26688f0
                                                                                                    • Instruction Fuzzy Hash: 88410926B1CD4A4FEB98DA6C94B52B573E1FF96320B4502BBD14DDB286DD1EEC028341
                                                                                                    Function 00007FFD34446E01 Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: pG@4
                                                                                                    • API String ID: 0-3999489909
                                                                                                    • Opcode ID: cd94aeb1ad074871cd8e25c687494464089e72172a03dabdb4a57a1d8e7335be
                                                                                                    • Instruction ID: 93acacdd8d9baf898b7470d7211792d71e996c38734a6a7320729e18bb64ef1b
                                                                                                    • Opcode Fuzzy Hash: cd94aeb1ad074871cd8e25c687494464089e72172a03dabdb4a57a1d8e7335be
                                                                                                    • Instruction Fuzzy Hash: 7641A121B1CD4A4BFFA8EA6894A15B873D2FF95700B95007EE54DD339ADD6CFC428680
                                                                                                    Function 00007FFD34244C00 Relevance: 1.4, Strings: 1, Instructions: 166COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: H#4
                                                                                                    • API String ID: 0-4022847991
                                                                                                    • Opcode ID: 42da7ee50e9f5b65a3d9a94990fa4a9fc6444219d793e000c8c6c69bae258ad9
                                                                                                    • Instruction ID: b735296088b5c74fb8b7f42b5ceace3e44c78f28504392a2f131f415a66da2c9
                                                                                                    • Opcode Fuzzy Hash: 42da7ee50e9f5b65a3d9a94990fa4a9fc6444219d793e000c8c6c69bae258ad9
                                                                                                    • Instruction Fuzzy Hash: 7B41F326B1CC4A4FE6A9D75C84B47B923D1EF9A340B4801BAD04ED73D2CE1EAC429380
                                                                                                    Function 00007FFD3423A01D Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @654
                                                                                                    • API String ID: 0-422782976
                                                                                                    • Opcode ID: 7963549efb3ab048cd8ac163a2e61eb4166a4137c6f4901837095f16086e8249
                                                                                                    • Instruction ID: 1642ef0319b86b2068cc580969e5032ae3bd9d886b6b6c4f60ce90565e9f9db8
                                                                                                    • Opcode Fuzzy Hash: 7963549efb3ab048cd8ac163a2e61eb4166a4137c6f4901837095f16086e8249
                                                                                                    • Instruction Fuzzy Hash: 6931C07771CB480BD350B768AC766EAB7D4FFD6321F04067BD086D3192ED1D98498282
                                                                                                    Function 00007FFD3423BCA5 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 24
                                                                                                    • API String ID: 0-3926664292
                                                                                                    • Opcode ID: 98ac1b07549bf09c92429b0dac79e6b1dba7ba1072b9fbcd677448a5463e4842
                                                                                                    • Instruction ID: 5a0753142a5e38f850108faea2f2a3ce1c9bba11e1e1cd412549c6dc68fdaf58
                                                                                                    • Opcode Fuzzy Hash: 98ac1b07549bf09c92429b0dac79e6b1dba7ba1072b9fbcd677448a5463e4842
                                                                                                    • Instruction Fuzzy Hash: 1B311E6AB1490D8BEB50EBD8D8A57EDB7B2FF5A310F5002B6E519E7282CD2968418740
                                                                                                    Function 00007FFD3423E1B6 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: H
                                                                                                    • API String ID: 0-2852464175
                                                                                                    • Opcode ID: f30ff62f35e888e4496b7839065171ff5dde2f1d9769a39d7dc6475b0f0a1de0
                                                                                                    • Instruction ID: 2fe1ab2b9e6c2c53de5845e2c5d595e1e4f4a0155beaf20c4440b4a31db7e467
                                                                                                    • Opcode Fuzzy Hash: f30ff62f35e888e4496b7839065171ff5dde2f1d9769a39d7dc6475b0f0a1de0
                                                                                                    • Instruction Fuzzy Hash: 8531E732B08A4A4FF7A9E66844B52B937E2EF96350F04027EC44AE7197DE2D6C068741
                                                                                                    Function 00007FFD3423CFF7 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: tM_^
                                                                                                    • API String ID: 0-212585260
                                                                                                    • Opcode ID: f54ba2c46a92f556235f407ed5d00258d61728e3c6e986a283351e06f184aff6
                                                                                                    • Instruction ID: ce67395c1b895e5b6c5dbdc66cbf97fb73287bae558c737f091344cebb0147a9
                                                                                                    • Opcode Fuzzy Hash: f54ba2c46a92f556235f407ed5d00258d61728e3c6e986a283351e06f184aff6
                                                                                                    • Instruction Fuzzy Hash: 6F312037A181554BD721BBB8F8B52FA3BB4DF43324B080277D948DE163DE286545D680
                                                                                                    Function 00007FFD34440E57 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: h+C4
                                                                                                    • API String ID: 0-288244098
                                                                                                    • Opcode ID: 552a6184980dc02975e9884d5aa48c392ff29f9b2500dd0bd6ba6d0cba7fe47c
                                                                                                    • Instruction ID: e3c354041911e6d746371cb9c486d36e55eea86e0e1d98e429e01c2d4291f945
                                                                                                    • Opcode Fuzzy Hash: 552a6184980dc02975e9884d5aa48c392ff29f9b2500dd0bd6ba6d0cba7fe47c
                                                                                                    • Instruction Fuzzy Hash: 9B31F521B1EA890BEB59A63C18B11787BE1DF8A21071900FFD54DC72DBCD5DAC168381
                                                                                                    Function 00007FFD34246E6A Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @654
                                                                                                    • API String ID: 0-422782976
                                                                                                    • Opcode ID: 43cc0e30d47ed648827770d33408b4d4e3dfdff1156cce785be8490da645958c
                                                                                                    • Instruction ID: 1027971b6a7769b2d302bf704526739aa18e298f1b4dafac30313da819e86ebe
                                                                                                    • Opcode Fuzzy Hash: 43cc0e30d47ed648827770d33408b4d4e3dfdff1156cce785be8490da645958c
                                                                                                    • Instruction Fuzzy Hash: A921073191CB854FD740EB2C8859625B7E0EBA6310F4502BAD489D72B2DE29E885C782
                                                                                                    Function 00007FFD343B01CF Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2744230018.00007FFD343B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd343b0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: xO.4
                                                                                                    • API String ID: 0-3736756235
                                                                                                    • Opcode ID: 2f402f5bec4ba2af7778fbd76dfdf1b9861200faa358ae52d4d5e573ab083724
                                                                                                    • Instruction ID: 6e633028708b74df355f6d136c83181dd634df0252230578c4c42d45e2581759
                                                                                                    • Opcode Fuzzy Hash: 2f402f5bec4ba2af7778fbd76dfdf1b9861200faa358ae52d4d5e573ab083724
                                                                                                    • Instruction Fuzzy Hash: CF21B07290CA894FEB95DF2888996EA7BF0FF57300F4941EBD448CB092DA7894468741
                                                                                                    Function 00007FFD3423D365 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: `C24
                                                                                                    • API String ID: 0-2759506754
                                                                                                    • Opcode ID: dc5ef600bfed168ddeba8eb57949021b76996654617575af9940b614582129d7
                                                                                                    • Instruction ID: 524ed4916cc017c2afeedd68b48343fe9645ebe877d63e1f0952eda2b4502212
                                                                                                    • Opcode Fuzzy Hash: dc5ef600bfed168ddeba8eb57949021b76996654617575af9940b614582129d7
                                                                                                    • Instruction Fuzzy Hash: 6F21F563B28A825AD321A378A4B53E677F0EF83318F04447BD1CDDA193DD6D64469351
                                                                                                    Function 00007FFD34448B23 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: h+C4
                                                                                                    • API String ID: 0-288244098
                                                                                                    • Opcode ID: ed5138457fa1712534a9c46b7f44f1c829ccbc5dda4bb1e827245c42f78af886
                                                                                                    • Instruction ID: a58e950fdc3509dc8d887490b2ae2acb5ee8eae29a2989db42c507c26863afdd
                                                                                                    • Opcode Fuzzy Hash: ed5138457fa1712534a9c46b7f44f1c829ccbc5dda4bb1e827245c42f78af886
                                                                                                    • Instruction Fuzzy Hash: 2811E231B1890E4FEBD4EB2CA8A5BA473D2FB99320F1540B6D50DC3396DE29AC428740
                                                                                                    Function 00007FFD3423BCD1 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 24
                                                                                                    • API String ID: 0-3926664292
                                                                                                    • Opcode ID: 786f99f49a2f589218b13abd1d577216f6a6c4e595ccffa0ab89ec4f0b41203e
                                                                                                    • Instruction ID: 7b71b044203354e339b3b0291d6f33d0da0fdc8ba8d1963feab427a7e1a643d5
                                                                                                    • Opcode Fuzzy Hash: 786f99f49a2f589218b13abd1d577216f6a6c4e595ccffa0ab89ec4f0b41203e
                                                                                                    • Instruction Fuzzy Hash: 1721EB69B2495D8BEB94EAD8D8A67EDB7B2FF5A310F5001B5E109E7286CD2968018700
                                                                                                    Function 00007FFD3423ADF8 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 04
                                                                                                    • API String ID: 0-2472179329
                                                                                                    • Opcode ID: d362b272d15adcc07a74e9b35a10edd1a8842f1fd99f954134c73d00b26d0c45
                                                                                                    • Instruction ID: 1304ddb3c893b296fd75022f0ad2d9f4939aaeb2ab754d23ddacd7e6479fb596
                                                                                                    • Opcode Fuzzy Hash: d362b272d15adcc07a74e9b35a10edd1a8842f1fd99f954134c73d00b26d0c45
                                                                                                    • Instruction Fuzzy Hash: DB110626B2CE4A4FEBA9EA2C94F12E573E1FF96310749017AC449DB286DD1DE802D341
                                                                                                    Function 00007FFD3423A0F3 Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: P94
                                                                                                    • API String ID: 0-2960110554
                                                                                                    • Opcode ID: 8329208ee4d6f7fec7f7b625a920aedb28c354b3de3fc13592cbf1299d71d313
                                                                                                    • Instruction ID: ce1215af36c2196c6e3563132e2f18b4b957de98471e1ef692ed97c1d44cfe87
                                                                                                    • Opcode Fuzzy Hash: 8329208ee4d6f7fec7f7b625a920aedb28c354b3de3fc13592cbf1299d71d313
                                                                                                    • Instruction Fuzzy Hash: 39112936B199095FD794EB2C88ADAA6BBE0FF96310F4001B7E548E7193ED2568408740
                                                                                                    Function 00007FFD3424532A Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (4$4
                                                                                                    • API String ID: 0-3086745746
                                                                                                    • Opcode ID: 33413c12dc63830ac36d386b8a590012b217098fb46aae6a0b3a4d9eb9969ef9
                                                                                                    • Instruction ID: 27390dbcc4a4d6cc407a69131f4b4b70a9ccc0998b545b68bbc61873befd42e7
                                                                                                    • Opcode Fuzzy Hash: 33413c12dc63830ac36d386b8a590012b217098fb46aae6a0b3a4d9eb9969ef9
                                                                                                    • Instruction Fuzzy Hash: 6611E167B0DE0A0FEBE8D90CA0A4275A3C1EBEA764350457FC28DE7284DD19FC4A8340
                                                                                                    Function 00007FFD3423CEAE Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: `C24
                                                                                                    • API String ID: 0-2759506754
                                                                                                    • Opcode ID: 2227ad326361092b774e2e447dffed925a7762c4ed8649333c686fa6912ac091
                                                                                                    • Instruction ID: da3c3c31340c5fe6bfc5663dbf0f7cd0b3d32ab1957014d39ea8050efed5fe89
                                                                                                    • Opcode Fuzzy Hash: 2227ad326361092b774e2e447dffed925a7762c4ed8649333c686fa6912ac091
                                                                                                    • Instruction Fuzzy Hash: AB116536B1CD184FD758EB0CE8A566C77E1EF99711B0001BBE009D7256CE25AC0287C1
                                                                                                    Function 00007FFD34238E72 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 0p.4
                                                                                                    • API String ID: 0-2939007604
                                                                                                    • Opcode ID: 05d492b3126a89eaa3c2e9e5afe45c0a29d07820717b6031a2c531df3bd20fd4
                                                                                                    • Instruction ID: f12fd8c23a57cb99eb08276fd63a6d7b8718d089ecb9be03cbaa2b91ba03cccf
                                                                                                    • Opcode Fuzzy Hash: 05d492b3126a89eaa3c2e9e5afe45c0a29d07820717b6031a2c531df3bd20fd4
                                                                                                    • Instruction Fuzzy Hash: DA11EC70E1991C9FDF94EBA8C495B9CBBB1FF59300F504169D40DE7252CA39A981CF00
                                                                                                    Function 00007FFD3423CCB7 Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: `C24
                                                                                                    • API String ID: 0-2759506754
                                                                                                    • Opcode ID: 007e345235d5600a46306025c84f9422242900a08afa31c4a4dda30ec57ec153
                                                                                                    • Instruction ID: 11cadd346a368afc79560de32183c6f6d49b64afdfcd0d4e6125b85ff78874dc
                                                                                                    • Opcode Fuzzy Hash: 007e345235d5600a46306025c84f9422242900a08afa31c4a4dda30ec57ec153
                                                                                                    • Instruction Fuzzy Hash: E6012822728F468AD364A73994647E672E1FFC1304F44447ED18ED7282EEBD74949351
                                                                                                    Function 00007FFD3423AE30 Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 04
                                                                                                    • API String ID: 0-2472179329
                                                                                                    • Opcode ID: e0e7c9d9d404339c9ace2fb653c628cca195b587660c418ef63ec82672fd0274
                                                                                                    • Instruction ID: ba42eb93e4b16bda810ed3baf9c1be7d711bef69b8a6cb9d656ec9a118a3299c
                                                                                                    • Opcode Fuzzy Hash: e0e7c9d9d404339c9ace2fb653c628cca195b587660c418ef63ec82672fd0274
                                                                                                    • Instruction Fuzzy Hash: ED01D621B28E4A4FEAA8EB1C80A067673E1FF95300745457AD00DD7286DD2DE841C740
                                                                                                    Function 00007FFD34234B89 Relevance: 1.3, Strings: 1, Instructions: 34COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: H0.4
                                                                                                    • API String ID: 0-1899804615
                                                                                                    • Opcode ID: b009bed9de31f74b6e133534515b085bbee2f75b01ab8b6727f7b1eeaca688c1
                                                                                                    • Instruction ID: 1e2ad21bf91fce30e5b14d6726edb318a5d2b70528b40ec1b9f50d5c1f79eb92
                                                                                                    • Opcode Fuzzy Hash: b009bed9de31f74b6e133534515b085bbee2f75b01ab8b6727f7b1eeaca688c1
                                                                                                    • Instruction Fuzzy Hash: 0AF02461A0D68C5FD346EB3888B83A87FF0EF1A201F8502F7D145DA1A2D92C4948C301
                                                                                                    Function 00007FFD3423CFC8 Relevance: .5, Instructions: 457COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 13d3164d73ade5b6a2eb70cf9711d0a59acc34711df76c50e802d545d6433dc0
                                                                                                    • Instruction ID: 5e63e015cc8010fab0d9a6519cc793962a9afec3fedcd74759fab2ec46f6c8ba
                                                                                                    • Opcode Fuzzy Hash: 13d3164d73ade5b6a2eb70cf9711d0a59acc34711df76c50e802d545d6433dc0
                                                                                                    • Instruction Fuzzy Hash: 98D10134B1C6464FE768DB1884A623AB7D1FF97700F25817DD18AD3292DE2DEC428782
                                                                                                    Function 00007FFD34451615 Relevance: .5, Instructions: 454COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5a97e2b1ab208fa0bf5aa38592c58747f348e53db7fe51aa75847de75fc5a15b
                                                                                                    • Instruction ID: 1e5d78092389b9eb016123db84d75731e011464ebd1a3ca1920f0c2ea7148406
                                                                                                    • Opcode Fuzzy Hash: 5a97e2b1ab208fa0bf5aa38592c58747f348e53db7fe51aa75847de75fc5a15b
                                                                                                    • Instruction Fuzzy Hash: 37E13D35A08A4D8FDF84EF18C4A4EA93BE1FFA9344F1501B9E44DD7295CA35E842CB81
                                                                                                    Function 00007FFD34441CD7 Relevance: .3, Instructions: 321COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 45e7b2d33802e960ab405cde5488d6b7a6abb8873094a3745f9cc427d3eb6c73
                                                                                                    • Instruction ID: d997f85533b7e201172ee3dea27adbdfd9798adebe56775f01da45e5b88fb484
                                                                                                    • Opcode Fuzzy Hash: 45e7b2d33802e960ab405cde5488d6b7a6abb8873094a3745f9cc427d3eb6c73
                                                                                                    • Instruction Fuzzy Hash: C4A1A471718A494FEB94EB6C84A9B7577D2FF9A300F1540BAE14DC73A6CE28AC41C741
                                                                                                    Function 00007FFD342448A4 Relevance: .3, Instructions: 305COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8d0261b5f262c592110d786ca1d02ae265a6f208faaf6df3068f3d13b1b089f5
                                                                                                    • Instruction ID: 65dfb5be94fe04da6a1f9613c68c1cc3ee55fd5e55fb8f9b9565560e9b4bc4fd
                                                                                                    • Opcode Fuzzy Hash: 8d0261b5f262c592110d786ca1d02ae265a6f208faaf6df3068f3d13b1b089f5
                                                                                                    • Instruction Fuzzy Hash: 40914435B1CB4A4FE768DE6C84A55B6B3E0FF56314B14067ED18AC3292DE39F8428781
                                                                                                    Function 00007FFD3444EF1D Relevance: .3, Instructions: 290COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6e5508f4547b9bbacf323f50977fa9c7d6c5b8be553636eb503380aca467703d
                                                                                                    • Instruction ID: a4d762e4687a0d0e42bbc5f88d6eaedd80e44c1be4acc3109847b19f72ec10bb
                                                                                                    • Opcode Fuzzy Hash: 6e5508f4547b9bbacf323f50977fa9c7d6c5b8be553636eb503380aca467703d
                                                                                                    • Instruction Fuzzy Hash: 51915931A0D7834FF359862488E51B4BBE1EF83315F1941BED58ACB2DBDD6C68869342
                                                                                                    Function 00007FFD3424A643 Relevance: .3, Instructions: 284COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c3da40ad7d068f08d2bc03118745a9f5533f29aedec48214c4afe590f3eced03
                                                                                                    • Instruction ID: 20326604309bc9fdde01cce00ce24d1153163420d12733948aabee9656e5047c
                                                                                                    • Opcode Fuzzy Hash: c3da40ad7d068f08d2bc03118745a9f5533f29aedec48214c4afe590f3eced03
                                                                                                    • Instruction Fuzzy Hash: B7818E34B187458FD758DE1CC4A263AB7E1FF9A705F10453DE5CAC3291DA39E8028A42
                                                                                                    Function 00007FFD34237DB9 Relevance: .3, Instructions: 283COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6d25fd6a3cc79a8eb5080838e9b561dc68432cd073396ab9d5f585050d382880
                                                                                                    • Instruction ID: b461394653dc425101f64d63bf773f4c56a35386a05cfd75142a63f4d77a1067
                                                                                                    • Opcode Fuzzy Hash: 6d25fd6a3cc79a8eb5080838e9b561dc68432cd073396ab9d5f585050d382880
                                                                                                    • Instruction Fuzzy Hash: CB91A775B09A4D4FEB94DF68C8A56ADB7F1FF96300F00067AE059E7196CE29AC01CB50
                                                                                                    Function 00007FFD34443925 Relevance: .3, Instructions: 280COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a2ab79a36451cb5d530c0040df073c501c18b85c4aa86bfd3cece03371dc1981
                                                                                                    • Instruction ID: 4929578ad4cd4d52fb58aca01dd46c23bc48c6fc2cf2321369cd307916a1d880
                                                                                                    • Opcode Fuzzy Hash: a2ab79a36451cb5d530c0040df073c501c18b85c4aa86bfd3cece03371dc1981
                                                                                                    • Instruction Fuzzy Hash: 9D71143070C9494FD7A9EB2CD4A9A7937E0FF5A71074500FAE58EC72A6E919EC428781
                                                                                                    Function 00007FFD3423E97F Relevance: .3, Instructions: 280COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7ef17b5db7e91cae1a467f39af1ff7dd0b533fddbd455f3c2f2a0be8a1036f82
                                                                                                    • Instruction ID: 0eff478ec8dfab2164d27edc786c4171e8f508ae3d412895195a1aa4df504815
                                                                                                    • Opcode Fuzzy Hash: 7ef17b5db7e91cae1a467f39af1ff7dd0b533fddbd455f3c2f2a0be8a1036f82
                                                                                                    • Instruction Fuzzy Hash: 24718D2770E5990FE365A66C68B52FA7BE0EF9732570802F7D18CCB1A3DD095806D391
                                                                                                    Function 00007FFD34243C30 Relevance: .3, Instructions: 279COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e12585adc9d630bc3d810e1aaddaf0f36f397851f0bb54fcad257025ec980dfb
                                                                                                    • Instruction ID: e4831b1afdca6d474d56b003486ecd381eedb05781d423738afc065cca2d9dfa
                                                                                                    • Opcode Fuzzy Hash: e12585adc9d630bc3d810e1aaddaf0f36f397851f0bb54fcad257025ec980dfb
                                                                                                    • Instruction Fuzzy Hash: DB815434B1CB894FE768DF2884A56B677E0EF57314F14063ED58AD3292DE29F8428781
                                                                                                    Function 00007FFD342370FA Relevance: .3, Instructions: 276COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d665b6e63f8dcfb5e8c817c1e843e49be0b752caaf9eb0573c506a88cc6de814
                                                                                                    • Instruction ID: d370c54a2683df7dce1c427539cc37b808dd8f19829eb8d6b50974b8c3bf6c9c
                                                                                                    • Opcode Fuzzy Hash: d665b6e63f8dcfb5e8c817c1e843e49be0b752caaf9eb0573c506a88cc6de814
                                                                                                    • Instruction Fuzzy Hash: CE718D27B199594BE760A7ACA4B52FD7BE0EF97320F0442B7D54CEB183CD0E58068781
                                                                                                    Function 00007FFD3423B900 Relevance: .3, Instructions: 263COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ca57cf7f5ec3978866072e32cd66147f643fea0bce973d6d66653cc2b266c993
                                                                                                    • Instruction ID: 5b0ade91b84deccffb9241adec6f2ba4d947e86b4574b34b265f03aab824db89
                                                                                                    • Opcode Fuzzy Hash: ca57cf7f5ec3978866072e32cd66147f643fea0bce973d6d66653cc2b266c993
                                                                                                    • Instruction Fuzzy Hash: F071F535B0CA094FEBA4EB5894A0AB5B7E1FF5A314B0401FAD44DD7297CA2AB846C750
                                                                                                    Function 00007FFD3444EC78 Relevance: .2, Instructions: 236COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c434ce241d1decca0fb1a589f9f8aab9089abd116d4dc8292e6ad54db22cd0d3
                                                                                                    • Instruction ID: eb2527f3358a9bcd9b10f109600b007c63c71ea0a8b88fa2db0cc9790d384863
                                                                                                    • Opcode Fuzzy Hash: c434ce241d1decca0fb1a589f9f8aab9089abd116d4dc8292e6ad54db22cd0d3
                                                                                                    • Instruction Fuzzy Hash: 5671F470D08A5C8FDBA8DF58C885BE9BBB1FB59300F1081AAD44DE3255DB74A985CF81
                                                                                                    Function 00007FFD34446A9C Relevance: .2, Instructions: 228COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: aabe48acfb4ce802cf729f1529d4554d831adbecec316b343d189d447d6af673
                                                                                                    • Instruction ID: 5993e7a47699b574d813e8fc1dd9489da016429f119e5526d9cdaf11c2a3e1b6
                                                                                                    • Opcode Fuzzy Hash: aabe48acfb4ce802cf729f1529d4554d831adbecec316b343d189d447d6af673
                                                                                                    • Instruction Fuzzy Hash: 95811E30B185098FEBA4DB58C4A5BA9B3E2FF95305F614179C10DD729ACE7DAC82DB40
                                                                                                    Function 00007FFD344407CC Relevance: .2, Instructions: 213COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9b2c4628c9c58d500df7a4cd278071611179ec699cff5f05135b156a0c48b92c
                                                                                                    • Instruction ID: 0a07a096eefcb29d5743ee63ef7740967b2e33f39ce429ba46042766e4fc4149
                                                                                                    • Opcode Fuzzy Hash: 9b2c4628c9c58d500df7a4cd278071611179ec699cff5f05135b156a0c48b92c
                                                                                                    • Instruction Fuzzy Hash: 6051D332B1DE494BE7A89A5D44A467977D1FF99710B0600BEE14EC339BCD68EC428382
                                                                                                    Function 00007FFD34238809 Relevance: .2, Instructions: 208COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a3cb42be55d619c4b235935ebc92d9594e2eb776f6807c86048e6a1a9c777079
                                                                                                    • Instruction ID: 19501a29cae4d0faeea96b43ee55129f80c932df2539e9daa60b1c0710fdb524
                                                                                                    • Opcode Fuzzy Hash: a3cb42be55d619c4b235935ebc92d9594e2eb776f6807c86048e6a1a9c777079
                                                                                                    • Instruction Fuzzy Hash: 1161D335E0865E4FEB64DA5888A57F8B7F1EF46310F1402BAD54DEB282DE392846DB40
                                                                                                    Function 00007FFD342340DA Relevance: .2, Instructions: 204COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 54a7a39fcdff20ed4909c542537885e829f8f8bd7e7c9173224bf03892a960c2
                                                                                                    • Instruction ID: 3b99e3c32b66fe0cec7252f8065aa6df43630678a0d47eb8379ad43ff300c09c
                                                                                                    • Opcode Fuzzy Hash: 54a7a39fcdff20ed4909c542537885e829f8f8bd7e7c9173224bf03892a960c2
                                                                                                    • Instruction Fuzzy Hash: AF610679E0D95D4BE714DB6488B11FCBBB0EF53310F4402BAD19DFB1D2DA2E98069640
                                                                                                    Function 00007FFD3423A840 Relevance: .2, Instructions: 196COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3d81ee5b27e95e3bd1b164f26711de163015cb9b6b902c16256be2484242b07f
                                                                                                    • Instruction ID: a8bda5ac9775d4dbb7bd38c5fdfd62db2b04df74ebecc9769f1c2c543d4e6eb5
                                                                                                    • Opcode Fuzzy Hash: 3d81ee5b27e95e3bd1b164f26711de163015cb9b6b902c16256be2484242b07f
                                                                                                    • Instruction Fuzzy Hash: 5751B457F0E5820BF77162E864B51F977B4DF13328B0A02B7D64CEE0D79C0E6846A286
                                                                                                    Function 00007FFD342346C9 Relevance: .2, Instructions: 193COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 097ec28c8aa5ae25fe492dfa9b9af532c8a8b67125584a2f83168c9ba6ebaaec
                                                                                                    • Instruction ID: 087eb1ddd531910268e7ca454c6013470dad18c12831265d8b4a8f85564ca201
                                                                                                    • Opcode Fuzzy Hash: 097ec28c8aa5ae25fe492dfa9b9af532c8a8b67125584a2f83168c9ba6ebaaec
                                                                                                    • Instruction Fuzzy Hash: C6615D75A18A4E8FEB84EF58C8A4BAD77F1FF59300F100279D419E7292DA34E846CB40
                                                                                                    Function 00007FFD3423A848 Relevance: .2, Instructions: 190COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9c0b3dac954e61b05effe1405f8ac4b6e8c9a50355ada6749586ef61e4156f83
                                                                                                    • Instruction ID: e3e57b1494cfabf71e3f586f07bc8e02cd7743d1266cd5ae54f4844cfdb23fd7
                                                                                                    • Opcode Fuzzy Hash: 9c0b3dac954e61b05effe1405f8ac4b6e8c9a50355ada6749586ef61e4156f83
                                                                                                    • Instruction Fuzzy Hash: 2D51A457F1E5820BF77162E864B51F977B4DF13328B0A02B7D54CEE0D79C0E6846A286
                                                                                                    Function 00007FFD3445347A Relevance: .2, Instructions: 172COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7137ec620e65a8e76e8e3bfe57bc32d5701d855a96acf19eead647ec12c75252
                                                                                                    • Instruction ID: 5afb8e59e08dbf6239dfeb337b3b71d4383719725b743724e5f149e236dc97c3
                                                                                                    • Opcode Fuzzy Hash: 7137ec620e65a8e76e8e3bfe57bc32d5701d855a96acf19eead647ec12c75252
                                                                                                    • Instruction Fuzzy Hash: 9D511770A18A0D8FDFD4EF18C4A5AA97BE1FF69340F0501BAE44DD3295DA78E841CB81
                                                                                                    Function 00007FFD3424AFD9 Relevance: .2, Instructions: 170COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3f5a4d83ddcc762e6115454af54e598d34a1127174261ff08b46a54046806564
                                                                                                    • Instruction ID: 649ed28a8aa3dc2bf5018b45e4e82437d2b5b6e4c2d5b3198edc68da019bb83e
                                                                                                    • Opcode Fuzzy Hash: 3f5a4d83ddcc762e6115454af54e598d34a1127174261ff08b46a54046806564
                                                                                                    • Instruction Fuzzy Hash: E0511974E0961D8FDB54DFA8C4A56ECBBB1FF5A301F50007AD009E7292DB3A6985CB00
                                                                                                    Function 00007FFD3444A536 Relevance: .2, Instructions: 166COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 48dff83766e52154dd0591cbd6f9c7b8784a39c1c63ef4d405c2f9c21dae5262
                                                                                                    • Instruction ID: fbceb7defdf97d3aa4a7bcf47b80559675938b710419718a6b349a65ec306bd0
                                                                                                    • Opcode Fuzzy Hash: 48dff83766e52154dd0591cbd6f9c7b8784a39c1c63ef4d405c2f9c21dae5262
                                                                                                    • Instruction Fuzzy Hash: 9341C352B1DD4B4BFBA8965CA0A62B873C1EFA5304B44407ED54EE32CBDD6CBC028380
                                                                                                    Function 00007FFD342454F1 Relevance: .2, Instructions: 162COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 19e18583924ae9c7757a60da6f8af19befb59a2525d55732336744a7416a5f27
                                                                                                    • Instruction ID: fc7d4520d6f2ad14cc8e63844a822f45a81998ab3cb3890156a490dfae534035
                                                                                                    • Opcode Fuzzy Hash: 19e18583924ae9c7757a60da6f8af19befb59a2525d55732336744a7416a5f27
                                                                                                    • Instruction Fuzzy Hash: DD41A73670DE0A0FEBD8AA5CA4A16B573C1FB57360B54017AD64ED7295ED1AEC834380
                                                                                                    Function 00007FFD34244131 Relevance: .2, Instructions: 162COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f66476a11e69f0e564756c79024a4072d489f0216948dd250fbf5f27ce780add
                                                                                                    • Instruction ID: fb078524719a60386c5dfda3bedd9dcf5ba702b9665e65dc1159e9fefb3c826f
                                                                                                    • Opcode Fuzzy Hash: f66476a11e69f0e564756c79024a4072d489f0216948dd250fbf5f27ce780add
                                                                                                    • Instruction Fuzzy Hash: 9851A375F18A594FEBA4DB68D8A57EC77B1FF96300F4001BAD04DE3292DE3968428B50
                                                                                                    Function 00007FFD3444A449 Relevance: .2, Instructions: 161COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fb326c57ab8e242b775f522b5c2cc6996c97ce0d03b8b4e7ab8fcd1b5574ab64
                                                                                                    • Instruction ID: 0a403286b58f4d36bbfa52835c525db717fdae83159b4875c980d68b43c42e3f
                                                                                                    • Opcode Fuzzy Hash: fb326c57ab8e242b775f522b5c2cc6996c97ce0d03b8b4e7ab8fcd1b5574ab64
                                                                                                    • Instruction Fuzzy Hash: D7411562F1D94A4BFBA89A5C50E62B873C1EFA5300B4441BED14EE72CBDD6CEC029340
                                                                                                    Function 00007FFD34232F45 Relevance: .2, Instructions: 160COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e9da9dc6e9a32875e6bf575b28fdd5495b161368f2e4d973e4479bcd9554cd5a
                                                                                                    • Instruction ID: d31d59334197a826f181665461239339b97eb08a1b814ae34606ef70a94faedd
                                                                                                    • Opcode Fuzzy Hash: e9da9dc6e9a32875e6bf575b28fdd5495b161368f2e4d973e4479bcd9554cd5a
                                                                                                    • Instruction Fuzzy Hash: 2951F874A18A1D8FDF94EF68D494AEDBBB1FB59310F50017AE40DE3251DA79A881CB80
                                                                                                    Function 00007FFD34232F38 Relevance: .2, Instructions: 150COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 892720a9c876a6103ebfc42d877f79b266593db94845c7216c94fd91d6531fe3
                                                                                                    • Instruction ID: 80105fba93c46de1f18cbc8656d35c649bda4451b7c5713402ad36ca70607e90
                                                                                                    • Opcode Fuzzy Hash: 892720a9c876a6103ebfc42d877f79b266593db94845c7216c94fd91d6531fe3
                                                                                                    • Instruction Fuzzy Hash: 1F414A34A19A1C8FDF94EF68D4A46EDBBB1FF5A310F10017AD40CE3291DA79A841CB80
                                                                                                    Function 00007FFD34441A43 Relevance: .1, Instructions: 146COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 490373a7202c7147dbb18c87b424e82dd3d373e32a4693508e058ab4a18e735e
                                                                                                    • Instruction ID: 0dcb000daeb9a34ce66792e3859dff4cf719668dfd55226582483b55b07dc807
                                                                                                    • Opcode Fuzzy Hash: 490373a7202c7147dbb18c87b424e82dd3d373e32a4693508e058ab4a18e735e
                                                                                                    • Instruction Fuzzy Hash: B441D421B1C94E4FEB98EA1D84E97B563D2FF95300F4501BAD54EC739AED5CE8429340
                                                                                                    Function 00007FFD34242CD0 Relevance: .1, Instructions: 143COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1a9a5035ccc639a399b267b625c81028ab700e9bc6995e84abafda4e207091f4
                                                                                                    • Instruction ID: 6c7efcdb2231ab3b981e223664a73068474a344c826a27b9634ceb0147175139
                                                                                                    • Opcode Fuzzy Hash: 1a9a5035ccc639a399b267b625c81028ab700e9bc6995e84abafda4e207091f4
                                                                                                    • Instruction Fuzzy Hash: B3316866B28D490FE794A62C98693BA33D0EFDA351F05057BE44DE73A1EE1EDC424381
                                                                                                    Function 00007FFD3423F198 Relevance: .1, Instructions: 142COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 70c78238da3c96cce05e5c897729e62953e066f2168fa524c8da1c962601b5ed
                                                                                                    • Instruction ID: f50fe443faa973104cf06bae9a9933b0245d9bd132c42e7512d9e0767554f3e6
                                                                                                    • Opcode Fuzzy Hash: 70c78238da3c96cce05e5c897729e62953e066f2168fa524c8da1c962601b5ed
                                                                                                    • Instruction Fuzzy Hash: E7419235B08A0D4FDB98DF1894A56BE37E1FFA9350F10017EE40DE3395CE2AA8428791
                                                                                                    Function 00007FFD3444C4D5 Relevance: .1, Instructions: 139COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 48b77104a737bcf6ad2696236b5ee7f097bf8370add1b95131d7c83604fd6d0e
                                                                                                    • Instruction ID: c30a358fb991b1953ff2a62a8cd48c9cd558fb0a2f8f11bd91bbb1176ca099b6
                                                                                                    • Opcode Fuzzy Hash: 48b77104a737bcf6ad2696236b5ee7f097bf8370add1b95131d7c83604fd6d0e
                                                                                                    • Instruction Fuzzy Hash: 6C31E652B1CE4B4BFBA89A5C50E51B963C2FF95744B4A81BED109D32CAED6CEC419240
                                                                                                    Function 00007FFD3444A5AF Relevance: .1, Instructions: 138COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6e77e97107c0b53ebb6d8b62c90a1b3e32007636d6ab735d8b3e63403f23c09d
                                                                                                    • Instruction ID: b12b56d2e2c7be443fc662a63a670ee0a28bc660cd74c82d18c7596e3fd00f61
                                                                                                    • Opcode Fuzzy Hash: 6e77e97107c0b53ebb6d8b62c90a1b3e32007636d6ab735d8b3e63403f23c09d
                                                                                                    • Instruction Fuzzy Hash: F531E362B1C94B4BFBE4965C50E62B573C1EFA5300B05417ED58EE729ADD6CFC029780
                                                                                                    Function 00007FFD3423DE79 Relevance: .1, Instructions: 138COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 451a252e1f3e50734d8ce3c031e4cb96af2540614796bbed10ffd0ab046d69bd
                                                                                                    • Instruction ID: 19494953c4f280c340a148c13bcb38e63add4bf035ffea4d0a5d30d40997a02f
                                                                                                    • Opcode Fuzzy Hash: 451a252e1f3e50734d8ce3c031e4cb96af2540614796bbed10ffd0ab046d69bd
                                                                                                    • Instruction Fuzzy Hash: 22310B7170CA494FD759EB2C84645657BF1EFA6310B0501BAE54DCB1A3DE25FC42C781
                                                                                                    Function 00007FFD3423FDA3 Relevance: .1, Instructions: 136COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8784089110c53b62df75ca6ab32363bc139ab901abf1df6012015be7c8961abb
                                                                                                    • Instruction ID: aa9c3b12b3b51704fbe036537fedc5ff9240f4bfcc7a4b1d1eaba5aac2c0cd9a
                                                                                                    • Opcode Fuzzy Hash: 8784089110c53b62df75ca6ab32363bc139ab901abf1df6012015be7c8961abb
                                                                                                    • Instruction Fuzzy Hash: 75415076F14A5D4FEBA4DA58D8A97A9B3F1FF59300F0002F6D41DE7292CE3569828B40
                                                                                                    Function 00007FFD34236451 Relevance: .1, Instructions: 136COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 859ddb8eb3eb458845f62a01a53b54c8c357c3ffece73b8e1450dd919b2860b2
                                                                                                    • Instruction ID: 9a94323f2f02e20e4b543a02d41f1128d8afc5173d79a54bca4344815c5dac2d
                                                                                                    • Opcode Fuzzy Hash: 859ddb8eb3eb458845f62a01a53b54c8c357c3ffece73b8e1450dd919b2860b2
                                                                                                    • Instruction Fuzzy Hash: B841F734E0862D8FDBA8DB54C4A47BCB6B5FB59305F60507DC10EE7291CB7A6981DB40
                                                                                                    Function 00007FFD344460C4 Relevance: .1, Instructions: 135COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0a9430e6282a62ac1ae65b6c7fc113d67ca768d0771fd0721b9105249522f4ef
                                                                                                    • Instruction ID: e83eb850dcbcdd70090c29b077418a8b80330d11522169cc1030bc2e7fcf4cf6
                                                                                                    • Opcode Fuzzy Hash: 0a9430e6282a62ac1ae65b6c7fc113d67ca768d0771fd0721b9105249522f4ef
                                                                                                    • Instruction Fuzzy Hash: E931F331B1CE1A4FEB98DB1C94A1579B3E1FF99711B14427AD44AC335ADE28FC428781
                                                                                                    Function 00007FFD34441EE9 Relevance: .1, Instructions: 132COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f68da561a0c7d940f2565af8b51764d893a6554da13cc30faa41be99b22c8b28
                                                                                                    • Instruction ID: 8a46f39db5db0fae896c34ccaf02b2da9676ad4e556a2ca822b62ec83350a957
                                                                                                    • Opcode Fuzzy Hash: f68da561a0c7d940f2565af8b51764d893a6554da13cc30faa41be99b22c8b28
                                                                                                    • Instruction Fuzzy Hash: 1E419071718A098FEBA4E76C84A9B6977E2FF9A300F1444B9E54DC3396DD28AC818741
                                                                                                    Function 00007FFD34242151 Relevance: .1, Instructions: 132COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6029254cac8d78d56415eae6ae7f202e10d53c77d75be74f4e41a40e80bbf218
                                                                                                    • Instruction ID: d2b5803d07872883004de900777662d96caca2f4d775d00da8c8e7bad54c9c34
                                                                                                    • Opcode Fuzzy Hash: 6029254cac8d78d56415eae6ae7f202e10d53c77d75be74f4e41a40e80bbf218
                                                                                                    • Instruction Fuzzy Hash: 14418035B1CA4A4FEA94EB58C4A577AB3E2EF96340F440539E18ED3296CE29E841C741
                                                                                                    Function 00007FFD34451CC5 Relevance: .1, Instructions: 130COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dc3e720765ca8d9b28b0570c61b9b6ff39d5003663af5c1b0e90d8a124fd8180
                                                                                                    • Instruction ID: 1c1de59f610054006fbff8ed1d14ea7db8479d78d9806e79fc326697e6d38014
                                                                                                    • Opcode Fuzzy Hash: dc3e720765ca8d9b28b0570c61b9b6ff39d5003663af5c1b0e90d8a124fd8180
                                                                                                    • Instruction Fuzzy Hash: D1311420B1CB584FDB58D60C98A177637E1EF8A720F0502BFE589C3296CE68BC4583C2
                                                                                                    Function 00007FFD3423BF69 Relevance: .1, Instructions: 129COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e1a21a23fd128f6539fe6594a539776d6e96b53e2bdd438894ff41956701a65d
                                                                                                    • Instruction ID: eb3748b99631115d0b8a2b267659cde60e04cbaf8e80ee014821e410f5c355fd
                                                                                                    • Opcode Fuzzy Hash: e1a21a23fd128f6539fe6594a539776d6e96b53e2bdd438894ff41956701a65d
                                                                                                    • Instruction Fuzzy Hash: 7C310426B0DBCA0FD7969B6848B02743FF1EF9720070941EBD089CB197DE1D98068712
                                                                                                    Function 00007FFD3444030D Relevance: .1, Instructions: 127COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bdb9df081068bf185d8687cb5df8d5b11cae9ecf6268935fd49f99f896606754
                                                                                                    • Instruction ID: 1a263394c6909b83c475794f62b84994e88c051c8bf1a092ee05cfa4278b526e
                                                                                                    • Opcode Fuzzy Hash: bdb9df081068bf185d8687cb5df8d5b11cae9ecf6268935fd49f99f896606754
                                                                                                    • Instruction Fuzzy Hash: BC314612B0D98A0FE799977C18B96A57FD1EF9A304B0940BBD18DCB29ADD5CAC128341
                                                                                                    Function 00007FFD3423BE16 Relevance: .1, Instructions: 124COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a8f039ee8539ddee942be3a5884e128abbc31fd4a26bfa51e0cd3754930d9889
                                                                                                    • Instruction ID: 19bb0109cbe7a3e14952dc20e2f02c22afae0d844009124a7120f854a899b0e8
                                                                                                    • Opcode Fuzzy Hash: a8f039ee8539ddee942be3a5884e128abbc31fd4a26bfa51e0cd3754930d9889
                                                                                                    • Instruction Fuzzy Hash: DC315D26B0DE8A0FE7A5EE6C54E52F07BF1EB5A310B0401BBE149DB193DD1DAC469340
                                                                                                    Function 00007FFD3424A265 Relevance: .1, Instructions: 121COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: eced647c867a29b522174b2690bf07390a220678860d3e31adffd1217685e2e8
                                                                                                    • Instruction ID: ef660d84370bff4d36eb4ed2e5c7db30c30ed292bb91bc5746d75d560101147e
                                                                                                    • Opcode Fuzzy Hash: eced647c867a29b522174b2690bf07390a220678860d3e31adffd1217685e2e8
                                                                                                    • Instruction Fuzzy Hash: 25319B3570DA494FDB58D61C9896A7137D0EF57320F0601BAE44EC72E2DE2AFC029341
                                                                                                    Function 00007FFD344439C4 Relevance: .1, Instructions: 118COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3a00d8fecb279c27f5fa71db91edcaebe28998f6999543109a91e390758fd77c
                                                                                                    • Instruction ID: 19869826b885c0c52ee2b1d96d0e940feb1ac3506b3d0a224908746db6950097
                                                                                                    • Opcode Fuzzy Hash: 3a00d8fecb279c27f5fa71db91edcaebe28998f6999543109a91e390758fd77c
                                                                                                    • Instruction Fuzzy Hash: 5631B3307188094FEAA8DA1CD4A567873D1EF49700B5111BAE58FC73E5ED19EC429B81
                                                                                                    Function 00007FFD34244040 Relevance: .1, Instructions: 117COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a740832bd7229996fc96e2a63d55b73177ec0ebfc2f812b561df060dd9f7a064
                                                                                                    • Instruction ID: 315a166de17377269efb84b1868147ca25fa54504eddb82d8f21d5f57f771917
                                                                                                    • Opcode Fuzzy Hash: a740832bd7229996fc96e2a63d55b73177ec0ebfc2f812b561df060dd9f7a064
                                                                                                    • Instruction Fuzzy Hash: 6821E426B0DC0E0FEAE8E61C64B427923C1EBDB355B54417BD68DD3385DE2AEC429350
                                                                                                    Function 00007FFD34448640 Relevance: .1, Instructions: 115COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0e1e70613c305afe763043bf2c0309d3c6eb8ad6f493301a612350c7e56412d5
                                                                                                    • Instruction ID: a3ce2f0340e794868a3ff427b45b8f0d09c9399a1899bfd7d59285cc2eda87b5
                                                                                                    • Opcode Fuzzy Hash: 0e1e70613c305afe763043bf2c0309d3c6eb8ad6f493301a612350c7e56412d5
                                                                                                    • Instruction Fuzzy Hash: 2D312735B08E194FE7A4DB1888647A6B7E2FFD6310F1541BAC10DD7296CE78AC41C781
                                                                                                    Function 00007FFD3423F1D0 Relevance: .1, Instructions: 115COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f78d8f4a07c1a1eb51e145ac898b8801c48ba44972b476d83654d648f6132e66
                                                                                                    • Instruction ID: b1a51ae789b5f876560f36269ff34e65e04190d2a039eae4c64d7afd60fdc232
                                                                                                    • Opcode Fuzzy Hash: f78d8f4a07c1a1eb51e145ac898b8801c48ba44972b476d83654d648f6132e66
                                                                                                    • Instruction Fuzzy Hash: 98310835B0CE454FE7A0C9189494675B7D1EFA6324F04057AD48CE33A1CA59E981D355
                                                                                                    Function 00007FFD344420A9 Relevance: .1, Instructions: 108COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3e7017b0cb612e57beae90d7456ce9d20260792773862721794bd4cb8fdc2e02
                                                                                                    • Instruction ID: 9d04bc5d9f5cc7aaf4fb8dc1f7b0806ce140ec416b28e0c1df934e2d42cca212
                                                                                                    • Opcode Fuzzy Hash: 3e7017b0cb612e57beae90d7456ce9d20260792773862721794bd4cb8fdc2e02
                                                                                                    • Instruction Fuzzy Hash: 4F318E71718A098FEBA4E76C946AB6973E2FF9A300F4040B9E14DC33D7CD28AC418781
                                                                                                    Function 00007FFD34242B9D Relevance: .1, Instructions: 103COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a60a0905a8793a81b10833086578f6914738f6a193dda5d58f1128098c1f7091
                                                                                                    • Instruction ID: c3543038d593b5867f447b1e510cde738cbe1cbd857fea21e0e6cbf350567f50
                                                                                                    • Opcode Fuzzy Hash: a60a0905a8793a81b10833086578f6914738f6a193dda5d58f1128098c1f7091
                                                                                                    • Instruction Fuzzy Hash: 5C213D73B0ED950AE7E4926D78F10BCBBC0DF8622471A02FBD14CD6196D80FAC429780
                                                                                                    Function 00007FFD34238A55 Relevance: .1, Instructions: 102COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fe7ca0ab77fc6c653aa03e26a6a11c88bc89794819e13653d6f2a8d836e8f9ee
                                                                                                    • Instruction ID: ff2bad6f846a3a78e841f43d6c2489119ec0157d6389fde0a034fe3077151c13
                                                                                                    • Opcode Fuzzy Hash: fe7ca0ab77fc6c653aa03e26a6a11c88bc89794819e13653d6f2a8d836e8f9ee
                                                                                                    • Instruction Fuzzy Hash: DE31273594D2894FD7154B2098722F97BF4EF03310F0501BBD548EF492CA2E5696C761
                                                                                                    Function 00007FFD34450C11 Relevance: .1, Instructions: 99COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2ab3b27a46c9503e1e5cbba3aacfc913de4a0c27d5926f16f1bb3f49158a8a81
                                                                                                    • Instruction ID: 19cbf802a96bdba9c2ccad5881eeb2171f761da97e8fdbcccde49ceddec042ae
                                                                                                    • Opcode Fuzzy Hash: 2ab3b27a46c9503e1e5cbba3aacfc913de4a0c27d5926f16f1bb3f49158a8a81
                                                                                                    • Instruction Fuzzy Hash: DE311435B1890A8FEF99EE48D4A16B973B1FFA5300B214179D14ED718ADE29F843C780
                                                                                                    Function 00007FFD3423A0A0 Relevance: .1, Instructions: 97COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3f270d2317b727e258cd0db83547e691656570e166b2f6348d2b4f43a8918c91
                                                                                                    • Instruction ID: 630096c7d61dcad7b7c3ecb37530ffd5a09b5c31bc6d4f3762a987c1553fadbb
                                                                                                    • Opcode Fuzzy Hash: 3f270d2317b727e258cd0db83547e691656570e166b2f6348d2b4f43a8918c91
                                                                                                    • Instruction Fuzzy Hash: 3A210A35B0CD090FE798EA2C9859B7173D1FFEA251B4001BAE54FD3293ED1A9C418380
                                                                                                    Function 00007FFD34242969 Relevance: .1, Instructions: 97COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 81a6e27147b03fc4d9f78fb6522248b928e8ef513e1f7d1b750fddea31b31bc9
                                                                                                    • Instruction ID: b1d144caf54da8e7f78d07320f8736abbab439bee14dce8849151de7f92585bf
                                                                                                    • Opcode Fuzzy Hash: 81a6e27147b03fc4d9f78fb6522248b928e8ef513e1f7d1b750fddea31b31bc9
                                                                                                    • Instruction Fuzzy Hash: BC31BD21A0E7C20FD75B877868650A13FA1EF5322432A41FBD048DB1E3DA1EA947C366
                                                                                                    Function 00007FFD3423819D Relevance: .1, Instructions: 96COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9f9dc302d6b0c63a49b2e4bd46026550481402e152ea503ec9fd863db31ec5f9
                                                                                                    • Instruction ID: c80b18eed9055300340a83125693f4512b4d167ad085a1a3c8ecc11ea88ece94
                                                                                                    • Opcode Fuzzy Hash: 9f9dc302d6b0c63a49b2e4bd46026550481402e152ea503ec9fd863db31ec5f9
                                                                                                    • Instruction Fuzzy Hash: 3C315734E0962D8EEB64DB58C8A47EDB6F0FF45300F601179D50AFB292CA392985DB50
                                                                                                    Function 00007FFD34245DDD Relevance: .1, Instructions: 89COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 326bd99bfdc1ad815aa89349c80010b481be07081536f28b9e650e3ff5b15394
                                                                                                    • Instruction ID: 3b5b060be07722a9e8cc81700c34aabd2da718d1328e56189aa4e4a704271844
                                                                                                    • Opcode Fuzzy Hash: 326bd99bfdc1ad815aa89349c80010b481be07081536f28b9e650e3ff5b15394
                                                                                                    • Instruction Fuzzy Hash: 0F117A36B1CD490FEBD9912CA0A527A27C1DBDB26571401BBD58DD3252DD198C838380
                                                                                                    Function 00007FFD344421BD Relevance: .1, Instructions: 87COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 24547bd7dbf44af936aa3094306bfffb763bdbee77d380fb543e135854bd9296
                                                                                                    • Instruction ID: 21cf10c98bf7bf8743958f6ddaf893bf38603715cc3ac3c4c84115b045cb334d
                                                                                                    • Opcode Fuzzy Hash: 24547bd7dbf44af936aa3094306bfffb763bdbee77d380fb543e135854bd9296
                                                                                                    • Instruction Fuzzy Hash: F1318131618A458FEBA4EB28C094FA6B3E1FF95300F444979E18FC32A5CE29F841C741
                                                                                                    Function 00007FFD34453C01 Relevance: .1, Instructions: 87COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d37bc549a0731a8e05fb9bc6b1da78882a6102b4146a8b154f69344d1fd76e49
                                                                                                    • Instruction ID: 32caeefaf5ce772aa3a0098cce24b4d936054efb5f63f4e188e82acdbee5988e
                                                                                                    • Opcode Fuzzy Hash: d37bc549a0731a8e05fb9bc6b1da78882a6102b4146a8b154f69344d1fd76e49
                                                                                                    • Instruction Fuzzy Hash: 4821C03270DE484FDB86D62C98E86643BE1FF9E31471A01EAE18DC72A6D950EC41C741
                                                                                                    Function 00007FFD34233D25 Relevance: .1, Instructions: 86COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: cb4b7c811f48338f4915500e7849945ccefdc4dce896913b6a4a174f6d28a710
                                                                                                    • Instruction ID: 6ede6b88608f3d332dfaed45e5d88888be269ce159acc65cc618597342039b4e
                                                                                                    • Opcode Fuzzy Hash: cb4b7c811f48338f4915500e7849945ccefdc4dce896913b6a4a174f6d28a710
                                                                                                    • Instruction Fuzzy Hash: 19310775E1961D8FDB48DF94D4B19FCB7B1AF4A300F54003AE10EFA281CA3E6904AB50
                                                                                                    Function 00007FFD342498D8 Relevance: .1, Instructions: 86COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: df0d5db1fa2819b0d152f38b58181c3310db1d5d869aa4ce12b59cbcabcf0161
                                                                                                    • Instruction ID: aeff477f0cae9bff0317f39943a521ef745c59574f3ffccdfe729818ef7ec437
                                                                                                    • Opcode Fuzzy Hash: df0d5db1fa2819b0d152f38b58181c3310db1d5d869aa4ce12b59cbcabcf0161
                                                                                                    • Instruction Fuzzy Hash: 4D31A03150E7C64FC3578B7888612917FF0EF07224B1E44EBC485CB0A7E2689C0AD751
                                                                                                    Function 00007FFD3444CA23 Relevance: .1, Instructions: 85COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: edda184941dfb85183357028c881b5b09e3e0a61186ec0fdcc7a0bff8d7f91eb
                                                                                                    • Instruction ID: add6b37ca9e3556c383c2af62d2a8ed8dcda5309737bfb13801f23ddbef01889
                                                                                                    • Opcode Fuzzy Hash: edda184941dfb85183357028c881b5b09e3e0a61186ec0fdcc7a0bff8d7f91eb
                                                                                                    • Instruction Fuzzy Hash: C221803064CA0A8FDB55EF28C4A1B6177E1FF56300F1A45F9C109CB29BDA6EE841C791
                                                                                                    Function 00007FFD34232E38 Relevance: .1, Instructions: 85COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a5268b46d1ae11af37ad52ce360c6d6b42f41f506fb25ee9d0231cda158e904c
                                                                                                    • Instruction ID: edba8a8f792713338c9a08906b60d64e9e798279dc9b76dc1200e67bd89f8ee8
                                                                                                    • Opcode Fuzzy Hash: a5268b46d1ae11af37ad52ce360c6d6b42f41f506fb25ee9d0231cda158e904c
                                                                                                    • Instruction Fuzzy Hash: 08210A36A0D68D4FEB94DF2888F52E97BF0FF56300F0400B6D558DB196CA39A801C750
                                                                                                    Function 00007FFD3423425B Relevance: .1, Instructions: 84COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 91706099127c1a904441b3a9677f1c9b0051327d0d8826b060816f23da93999e
                                                                                                    • Instruction ID: 954abb7d0a401be7072c8c6bd9a88978e13b7c0a660c60ac58dbb4c3507941d3
                                                                                                    • Opcode Fuzzy Hash: 91706099127c1a904441b3a9677f1c9b0051327d0d8826b060816f23da93999e
                                                                                                    • Instruction Fuzzy Hash: 0D219D3588E3C54FD3128B7068625E57F789F03211F0A01E7D488EF4A3C92E9A9AC362
                                                                                                    Function 00007FFD34447D29 Relevance: .1, Instructions: 83COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 207d58afba38bd97a821b7646ba230117ac0d0450cf00104b12d875f423ca805
                                                                                                    • Instruction ID: b69ab05e302fddb99acd7ba13c5e2369452c2608f27f99ab1aa8768b38480718
                                                                                                    • Opcode Fuzzy Hash: 207d58afba38bd97a821b7646ba230117ac0d0450cf00104b12d875f423ca805
                                                                                                    • Instruction Fuzzy Hash: DC21B16261EAC40FE796933848796753FE0EFAB20070A41FBD449CB2A3DD4C9C06D352
                                                                                                    Function 00007FFD34452FBD Relevance: .1, Instructions: 83COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6c6960630a12eed690c732b7ba418ad3244efc11d4cf897908982587fdb8437d
                                                                                                    • Instruction ID: 6b05fba6a173f0de427a7f978173859ad8abdbd1a384a044ffe125ff50f5b6d0
                                                                                                    • Opcode Fuzzy Hash: 6c6960630a12eed690c732b7ba418ad3244efc11d4cf897908982587fdb8437d
                                                                                                    • Instruction Fuzzy Hash: 63210472F09A8C0FEB91DB6888A52EC7BE0EF5A320B0600F7D508E3297DE1D5C448391
                                                                                                    Function 00007FFD344421E9 Relevance: .1, Instructions: 82COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0f6ccb1a88bc2cf5e36875a119625fa86e47ac7bee50537d8dc246798c6cb3b0
                                                                                                    • Instruction ID: c23f176e8b1d180246d200e7abcdd0e4bc27f369300b1f6ed13a39330cee0197
                                                                                                    • Opcode Fuzzy Hash: 0f6ccb1a88bc2cf5e36875a119625fa86e47ac7bee50537d8dc246798c6cb3b0
                                                                                                    • Instruction Fuzzy Hash: C0216F31628A458FEBA4EB28C094BA6B3E1FF56300F504979E08EC3295CE29B845C741
                                                                                                    Function 00007FFD34243428 Relevance: .1, Instructions: 80COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 34c3af9d9fdd9aa08a185aee5878ba0aa812b06427a71f3eeadff3e25b486946
                                                                                                    • Instruction ID: 70f4fa184d7cfb8e143fd3902faa404246155feea826b467aa5102c56f77ac44
                                                                                                    • Opcode Fuzzy Hash: 34c3af9d9fdd9aa08a185aee5878ba0aa812b06427a71f3eeadff3e25b486946
                                                                                                    • Instruction Fuzzy Hash: 8811083AB1DC0A0FBFE8E51C64A427A63C2DBDA265754017BD54ED3385DC2AEC838340
                                                                                                    Function 00007FFD34446C93 Relevance: .1, Instructions: 79COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 959b356c1dab186f5e5aa09b395a867f5f54fd7481f52d8f938bb5de1b1a8416
                                                                                                    • Instruction ID: e52f383077651dd499bbff496706493627de9f4a7e8478dc277ac02612d7738a
                                                                                                    • Opcode Fuzzy Hash: 959b356c1dab186f5e5aa09b395a867f5f54fd7481f52d8f938bb5de1b1a8416
                                                                                                    • Instruction Fuzzy Hash: 32211230B1C9098FEB94EB58C4A1AA9B3E1FF99301F604079D00ED7296CE69EC41CB40
                                                                                                    Function 00007FFD344447B5 Relevance: .1, Instructions: 78COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 061661c194cad6c495af08cc5e4a7c1b0840e4a6ac15659f51a058b3fa553110
                                                                                                    • Instruction ID: c4679c257d0ac9cee094c4d2dacfbc271d5c60bcba8a84d6487f62ab8d34592b
                                                                                                    • Opcode Fuzzy Hash: 061661c194cad6c495af08cc5e4a7c1b0840e4a6ac15659f51a058b3fa553110
                                                                                                    • Instruction Fuzzy Hash: 61210F31B08D894FD695E72C94F863937E1FF8A310B4600BAD18EC72A2CE5DAC41C341
                                                                                                    Function 00007FFD342460E1 Relevance: .1, Instructions: 78COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2d8035aa5bb0d5eace9d6ed0e3fe7c2ee22866e0797e049674ffb27a34dff1d3
                                                                                                    • Instruction ID: c6e3f18da2372d89b96bd196e8318a6d785db1525d87d4ace89fe9f2181cd5c4
                                                                                                    • Opcode Fuzzy Hash: 2d8035aa5bb0d5eace9d6ed0e3fe7c2ee22866e0797e049674ffb27a34dff1d3
                                                                                                    • Instruction Fuzzy Hash: 1E11E322B0ED490FE794896D2CE91652AC1EB9B20570A00FBE54CE73B7E91ADC018382
                                                                                                    Function 00007FFD342451E5 Relevance: .1, Instructions: 78COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5f839228118b144edff7946be8e8f9aedf579b67fe246582924fdb6e4afed899
                                                                                                    • Instruction ID: 9b24601bfe88c9c5c2571f3a260920c96a2634580054805e305ff5f157b3317e
                                                                                                    • Opcode Fuzzy Hash: 5f839228118b144edff7946be8e8f9aedf579b67fe246582924fdb6e4afed899
                                                                                                    • Instruction Fuzzy Hash: C6218E25B18E498FEFE4EB2CC0A0BB533E1EF5A304B0445B9D18AD7692CD29F845D740
                                                                                                    Function 00007FFD34246100 Relevance: .1, Instructions: 77COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1c0a10108762d5ba720cfa33dbfef314a0c59d9b4be0a3dae7f00327293a7a58
                                                                                                    • Instruction ID: d68b8825cd23544e02cb1ea18a6e91fa2c049e0ee3119c682a661244bc9db4b0
                                                                                                    • Opcode Fuzzy Hash: 1c0a10108762d5ba720cfa33dbfef314a0c59d9b4be0a3dae7f00327293a7a58
                                                                                                    • Instruction Fuzzy Hash: ED110422B0FC490FE6D4946D3CE91752AC1DB9B61570901FBEA4CE33B6DC4ADC418381
                                                                                                    Function 00007FFD3444C32A Relevance: .1, Instructions: 76COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3931b6f464549500b584d02d4677706e560254d5ef8b177764b1092f7507dbc1
                                                                                                    • Instruction ID: a1dc6d4056927dfce56b199dee2224490c363a09acc045caf54a135f872e5af3
                                                                                                    • Opcode Fuzzy Hash: 3931b6f464549500b584d02d4677706e560254d5ef8b177764b1092f7507dbc1
                                                                                                    • Instruction Fuzzy Hash: 5D11083171CA094FE798DA08A4A17B4B3C1FB96310F8A407ED10FC229ACD6DE842C781
                                                                                                    Function 00007FFD3423CD70 Relevance: .1, Instructions: 75COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ec5d0835f52f9150a0a4b889c3e53b8619b0dd48f61d01416a970a8d93421fa7
                                                                                                    • Instruction ID: 657f2460e505e69863de0f0f4eda79a86dab33bb16c03c9bd9303631f9893097
                                                                                                    • Opcode Fuzzy Hash: ec5d0835f52f9150a0a4b889c3e53b8619b0dd48f61d01416a970a8d93421fa7
                                                                                                    • Instruction Fuzzy Hash: C211EB31A2CF498BDB199B2984A567677D0FF5A315F00043EE18FD3291CE29B441DB82
                                                                                                    Function 00007FFD34247146 Relevance: .1, Instructions: 74COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 11cea8aa4abf9c59a1f10ee2012066b343a822343fb572fbcc1cd1438829ca29
                                                                                                    • Instruction ID: a64465f59f2c88be3237b57adc09cd12e174ad62feebec5d60ee8b0eed843ffc
                                                                                                    • Opcode Fuzzy Hash: 11cea8aa4abf9c59a1f10ee2012066b343a822343fb572fbcc1cd1438829ca29
                                                                                                    • Instruction Fuzzy Hash: 2811BE7060CB485FE768DF28885CBA67BE1EBAA301F01447ED48CC3262EE3568048742
                                                                                                    Function 00007FFD34443376 Relevance: .1, Instructions: 73COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bf487b8bd3644ad3925bbece6db714dec458842bcc35175e712e8391b259eea9
                                                                                                    • Instruction ID: 171d83ed27e0896993d0b8878f2ec2e74c79a502f215d00188c5899ac640e40c
                                                                                                    • Opcode Fuzzy Hash: bf487b8bd3644ad3925bbece6db714dec458842bcc35175e712e8391b259eea9
                                                                                                    • Instruction Fuzzy Hash: F311DB4260FBC51FE782927808BA6A12FD5EB5B620F0D00FBD589CB597EC8D6C479352
                                                                                                    Function 00007FFD342389A5 Relevance: .1, Instructions: 73COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b1aeb37fdcd61c27133d8250b16fdb5ac21e6122e69bd878439b64dc46bd309b
                                                                                                    • Instruction ID: 2628e64ca3c9fc23e01f8a05af0d777a24a963db456254078f1bf9fa84e85b64
                                                                                                    • Opcode Fuzzy Hash: b1aeb37fdcd61c27133d8250b16fdb5ac21e6122e69bd878439b64dc46bd309b
                                                                                                    • Instruction Fuzzy Hash: A011E138D0860E8BEB60AA1490A06F8BBF0EF87314F100279D94CFF181DB3A5985C784
                                                                                                    Function 00007FFD34245EB9 Relevance: .1, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f1350eab4a378ce4c43892ac0ea06ec68790b44a127f2dae614eddf65be883d2
                                                                                                    • Instruction ID: a11ac2d249c8d30fe743134c885dd3317e903fd0aba6ed29d2fc2030084820f2
                                                                                                    • Opcode Fuzzy Hash: f1350eab4a378ce4c43892ac0ea06ec68790b44a127f2dae614eddf65be883d2
                                                                                                    • Instruction Fuzzy Hash: 7E112336B0C94A1FE7D4D62C54A52B437C1EF9B211B09007AD68DD7382DE6EAC828351
                                                                                                    Function 00007FFD34234D7D Relevance: .1, Instructions: 68COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 569edd6e0e4b165a6599da8ba5b56895a45b4960780ea1dba715bae9bf2f1229
                                                                                                    • Instruction ID: 67c465e539e690d971e8304837d8a2bb28027b4187093e5740cc14548b404abc
                                                                                                    • Opcode Fuzzy Hash: 569edd6e0e4b165a6599da8ba5b56895a45b4960780ea1dba715bae9bf2f1229
                                                                                                    • Instruction Fuzzy Hash: 6E116075F0990D8FEBE4DA58D4A47A8B7B1FBA9301F5041BAC00DE7391CE3A6881CB00
                                                                                                    Function 00007FFD342438CB Relevance: .1, Instructions: 68COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: cddb0dd6b68fe941ec5e5a01813560d69fa44887b4cbc27ca283f809b4e8177f
                                                                                                    • Instruction ID: e21e09f1510b10d80a37fab97ec0643320540f79432bddf7a4adefd2e1bfab3f
                                                                                                    • Opcode Fuzzy Hash: cddb0dd6b68fe941ec5e5a01813560d69fa44887b4cbc27ca283f809b4e8177f
                                                                                                    • Instruction Fuzzy Hash: 06118021B48C194FEAA4DA4CA0E4B7463D1FFAE360B1805BAD14ED7395D919EC458780
                                                                                                    Function 00007FFD344447D0 Relevance: .1, Instructions: 67COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8ea50892b11006df2246336039f94a303a33e16ad31c7321e7a32ce6a1e2244b
                                                                                                    • Instruction ID: 70a4012bd97705359939eb0c99a883454c05a83f4623585c8345605366c8e110
                                                                                                    • Opcode Fuzzy Hash: 8ea50892b11006df2246336039f94a303a33e16ad31c7321e7a32ce6a1e2244b
                                                                                                    • Instruction Fuzzy Hash: 8E11C235704C194FD6A4EB2D94F8A7A32E1FF8A310B52017AE14EC7396CE69AC41C780
                                                                                                    Function 00007FFD34234CEA Relevance: .1, Instructions: 67COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5275ae49fd37e618ea78a488ab0d0e33deb02ebe252d07b018aa5b6555c1544a
                                                                                                    • Instruction ID: e3687eb8fc8d56c63f3e814d4b96c1e03a74d08e42d9701ea55e75d39f39ae09
                                                                                                    • Opcode Fuzzy Hash: 5275ae49fd37e618ea78a488ab0d0e33deb02ebe252d07b018aa5b6555c1544a
                                                                                                    • Instruction Fuzzy Hash: 44118675B1A90D8FDB94EB58D4A556873F1FF55300B4002B6E01DEB2A6CE25AC41C700
                                                                                                    Function 00007FFD3423A020 Relevance: .1, Instructions: 66COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 27c0f5f0898bf2b8e19ea6f4bc905f5e796acc7c4abf36e48bea7477038e8f28
                                                                                                    • Instruction ID: dd499c4795e7580fbd556d92141692a27aa71dea1ce2d152c173345d8bf2d301
                                                                                                    • Opcode Fuzzy Hash: 27c0f5f0898bf2b8e19ea6f4bc905f5e796acc7c4abf36e48bea7477038e8f28
                                                                                                    • Instruction Fuzzy Hash: D2114870608B489FE7B89F28885DBA777E5EBAA311F00453EA48DD3261EE3568418742
                                                                                                    Function 00007FFD34454575 Relevance: .1, Instructions: 65COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 05a17003ca102be53739d806afe8371948361ba408e8efbde6a3e57db134a21e
                                                                                                    • Instruction ID: cd17c607d9aa441245c63882191d1aca919e795b86245026f42566b77487e7e2
                                                                                                    • Opcode Fuzzy Hash: 05a17003ca102be53739d806afe8371948361ba408e8efbde6a3e57db134a21e
                                                                                                    • Instruction Fuzzy Hash: 6F014C3060CE1C8FDF64E61DC4D5E7437D0EB1931530504EAD58ACF2A2DA58EC869791
                                                                                                    Function 00007FFD34238783 Relevance: .1, Instructions: 65COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 919a4f0173dab806950ab1566493d763cf2dde11cd0b94f18efcbc5df17c701f
                                                                                                    • Instruction ID: f0f0b84cbafc9dca60a41c38308df55d0808d930585fb8415aebf2e5fd7cf63a
                                                                                                    • Opcode Fuzzy Hash: 919a4f0173dab806950ab1566493d763cf2dde11cd0b94f18efcbc5df17c701f
                                                                                                    • Instruction Fuzzy Hash: 2B119039F0561D8FEB98EB5994A53B9B7F1FB59301F4001BAC00DEB181CE392882CB40
                                                                                                    Function 00007FFD34230C58 Relevance: .1, Instructions: 65COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e8150b6d0fd58691cd8c87fd633c38188dfa6ee21fbf54e5cbe5f3bb5e621c14
                                                                                                    • Instruction ID: b62d54e12b8bbf1a3046db524bb25f85bdd4c5756a972d66102a490411bf7124
                                                                                                    • Opcode Fuzzy Hash: e8150b6d0fd58691cd8c87fd633c38188dfa6ee21fbf54e5cbe5f3bb5e621c14
                                                                                                    • Instruction Fuzzy Hash: 2B117B7AA0D6AA4EE731B73898312E73B60AF53311F40057AD14CEB1D3DE2D6904C6D1
                                                                                                    Function 00007FFD3444C78E Relevance: .1, Instructions: 64COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 856edbfc376c8a29ee034c0c9f287c0443fd61d7c574a5056ced8eb1bf119c6f
                                                                                                    • Instruction ID: c816c4e98c661b8eec42ca84c97dd0b7f6e1eacd2d5b0dabfef1092d85b31714
                                                                                                    • Opcode Fuzzy Hash: 856edbfc376c8a29ee034c0c9f287c0443fd61d7c574a5056ced8eb1bf119c6f
                                                                                                    • Instruction Fuzzy Hash: 5101D853F0C95B0BF5A8525C34A21F463C2DF97720B068177D20FC678BED5DA8035180
                                                                                                    Function 00007FFD34248423 Relevance: .1, Instructions: 61COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8f328ff430954bbd58b335113e4b3917941be8c1e5d42f190ba2dddf9a06678c
                                                                                                    • Instruction ID: 92efe183c52699a504715fe87e67df71b0a5c43dda51e38f56023d58126b7394
                                                                                                    • Opcode Fuzzy Hash: 8f328ff430954bbd58b335113e4b3917941be8c1e5d42f190ba2dddf9a06678c
                                                                                                    • Instruction Fuzzy Hash: 8501D13A70D80C4FE6E8EA0CA896A7433C2EB9A32030505F7D94DDB752D916EC824381
                                                                                                    Function 00007FFD34237480 Relevance: .1, Instructions: 59COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9f5e9221881486dfc8fbde4100b844d736670410fd110c52e628b4e3d7fd1d28
                                                                                                    • Instruction ID: 33fdee1dc4619be9188ed888616da413b9578bdd8a5357901c527da0e75525da
                                                                                                    • Opcode Fuzzy Hash: 9f5e9221881486dfc8fbde4100b844d736670410fd110c52e628b4e3d7fd1d28
                                                                                                    • Instruction Fuzzy Hash: 8211D234E08A1D8FDF98DF58C8A17ACB7B1FF9A300F1051AAC10DE7256CA3569809B40
                                                                                                    Function 00007FFD34235ED7 Relevance: .1, Instructions: 59COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7865c90cfad30fae6a302311af2cb7af1083948125e535b76e295f80d5a1da4f
                                                                                                    • Instruction ID: 85c013e930d601af3f92d7be3bc12f30c29516af33996f33733d9943c2366d6d
                                                                                                    • Opcode Fuzzy Hash: 7865c90cfad30fae6a302311af2cb7af1083948125e535b76e295f80d5a1da4f
                                                                                                    • Instruction Fuzzy Hash: E8119131E0461C8FDB84DF98D4A06EDBBB1FF56310F40017AD44DEB296CA395885CB50
                                                                                                    Function 00007FFD34234F88 Relevance: .1, Instructions: 59COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7cc2b1fdf33eab29434048e111f93c3389c5f9c81d8a9167bab13331682e8ef2
                                                                                                    • Instruction ID: 0e3481e32951e9407bd136deb7dcad1e461a94f1c6a11305da90a42db2a0fafd
                                                                                                    • Opcode Fuzzy Hash: 7cc2b1fdf33eab29434048e111f93c3389c5f9c81d8a9167bab13331682e8ef2
                                                                                                    • Instruction Fuzzy Hash: C6118F28E1E64E4FE750DA1888B97B8B3B0FF4B300F4011B5E10DEA196CF6E68409A40
                                                                                                    Function 00007FFD34234EE1 Relevance: .1, Instructions: 58COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 89b995b761bb7eb6f2b38d7a78d7b2b5268b6de15dd7f6eaf7ec301d0388d85a
                                                                                                    • Instruction ID: 99fd1ec95dcd68cbdea882b66bde1fbc7348d2f62fc463162a44243fba165194
                                                                                                    • Opcode Fuzzy Hash: 89b995b761bb7eb6f2b38d7a78d7b2b5268b6de15dd7f6eaf7ec301d0388d85a
                                                                                                    • Instruction Fuzzy Hash: ED119D75A0A50E4FE784DF1884B56E9B2F1EF8A300F448179E00CE62D6CE3A6C41CB50
                                                                                                    Function 00007FFD342440B8 Relevance: .1, Instructions: 58COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 417303ad3aec12675684907588b34027ced7e87c47cb9fbbde3249e7687d27e3
                                                                                                    • Instruction ID: 577c28b0a5908da9b0870c26a65c6879e8a913b7e0ae8f7fcd091b7446ba9e61
                                                                                                    • Opcode Fuzzy Hash: 417303ad3aec12675684907588b34027ced7e87c47cb9fbbde3249e7687d27e3
                                                                                                    • Instruction Fuzzy Hash: 8C01205BF1D8590FE355965C28F92F56790DF6713170501B7D54CD3293EC0D58069381
                                                                                                    Function 00007FFD34238E00 Relevance: .1, Instructions: 57COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 180f19c1f6ec042eb86417e94edf53db7452cb06d4f3633d85c6f54aa6bc1fe7
                                                                                                    • Instruction ID: 23463166546d57fccde404767c87f8439ed28cbdb7d756e10f62fe77c62f2a30
                                                                                                    • Opcode Fuzzy Hash: 180f19c1f6ec042eb86417e94edf53db7452cb06d4f3633d85c6f54aa6bc1fe7
                                                                                                    • Instruction Fuzzy Hash: 56112A75E0890D8FDF88DB98D0A5AFDBBF1EBA9311F50003EE10AE7291CA395841DB50
                                                                                                    Function 00007FFD3423E648 Relevance: .1, Instructions: 57COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 35cd30c123e1a2006065926aea05e38da06c8653ff26be8e87ba1bdd99777be1
                                                                                                    • Instruction ID: f07c612d380d9d1657d0194f3dbc5f7fc6c2d903d54571881a1b79884b0f2083
                                                                                                    • Opcode Fuzzy Hash: 35cd30c123e1a2006065926aea05e38da06c8653ff26be8e87ba1bdd99777be1
                                                                                                    • Instruction Fuzzy Hash: FF017B3161C8070FD305EB289854AF577E0EF47300B0585B2E808C7256DE2EB8C2C790
                                                                                                    Function 00007FFD3423A670 Relevance: .1, Instructions: 57COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6bb64a3f04dc3ac680c7ae4fb2ac5ad478020275a4f4b2fee474ddf34336fe0e
                                                                                                    • Instruction ID: cc8c5b43171376ed2c29e78d37eb391b25b9cfce5b91f72bd84b80f8dedcba8b
                                                                                                    • Opcode Fuzzy Hash: 6bb64a3f04dc3ac680c7ae4fb2ac5ad478020275a4f4b2fee474ddf34336fe0e
                                                                                                    • Instruction Fuzzy Hash: A101D131B1C80D0FEA94EA5CA8A577673E5EB99321F01027BF60CD7292ED5AE8018380
                                                                                                    Function 00007FFD34243C40 Relevance: .1, Instructions: 57COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4f3b3d14572ef8e58d3e85b94c1341fec7ff1215e794d1ecb81bf5b629b5ed5a
                                                                                                    • Instruction ID: 1b6520602445a409341eefb3c537cdf48344c6db35278077257563d337e7302e
                                                                                                    • Opcode Fuzzy Hash: 4f3b3d14572ef8e58d3e85b94c1341fec7ff1215e794d1ecb81bf5b629b5ed5a
                                                                                                    • Instruction Fuzzy Hash: 5E017B3160C4470FD3159B28A8549B577E0EF47300B0541B6E40CD7297DA2EB882C780
                                                                                                    Function 00007FFD34245A2A Relevance: .1, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ab82fd6fb7132a34f0e4b98ceb367852f5c1cd1ced049541b87a48dca91d98bc
                                                                                                    • Instruction ID: 2a7f13d9cfe433cddc90cac7fe76cb9610d5dff8c81fb44cee3bd202401ffbc7
                                                                                                    • Opcode Fuzzy Hash: ab82fd6fb7132a34f0e4b98ceb367852f5c1cd1ced049541b87a48dca91d98bc
                                                                                                    • Instruction Fuzzy Hash: 79012B3171D6591FE391F62998956727FE5EF5B311B0600FBE54DC71A7CC09AC408391
                                                                                                    Function 00007FFD34238BB6 Relevance: .1, Instructions: 55COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d776b3673cfc7770775ce9e5cdd65470c6f181a24a1d677f8d8a549d8b13832f
                                                                                                    • Instruction ID: 9b6ea44709cf18f58c34ba6c30960200db9a6418557c764000bca220c221e7cb
                                                                                                    • Opcode Fuzzy Hash: d776b3673cfc7770775ce9e5cdd65470c6f181a24a1d677f8d8a549d8b13832f
                                                                                                    • Instruction Fuzzy Hash: 67115A35E0991D8FDB88DB58D0A5AEDBBF1FF59310F44006AD40DEB282CA392885CB90
                                                                                                    Function 00007FFD3444A3E6 Relevance: .1, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 02a3d3219108446b81cf028479dad22cd2a05dd7e24e4ca7d014ec9e026bc7b6
                                                                                                    • Instruction ID: e0ba1a27321764d51cfd9ff0afdfc5cb5e00162a6c49cdfc6f19c2163633c502
                                                                                                    • Opcode Fuzzy Hash: 02a3d3219108446b81cf028479dad22cd2a05dd7e24e4ca7d014ec9e026bc7b6
                                                                                                    • Instruction Fuzzy Hash: 9301F2A2B1DD0B0BEFA8994C50E753933C1EBA9744745407AD51DE268AED5CEC415780
                                                                                                    Function 00007FFD342479C1 Relevance: .1, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 858b34fc07c4d5f9c2187b22e83a8a1d26b43b93680befeeaa0a021f2ad29887
                                                                                                    • Instruction ID: 701a1a9db13a129c84e8d7b88600248d8a047ed4e0f11c3798e27c2ad61079a8
                                                                                                    • Opcode Fuzzy Hash: 858b34fc07c4d5f9c2187b22e83a8a1d26b43b93680befeeaa0a021f2ad29887
                                                                                                    • Instruction Fuzzy Hash: E3F0B43270D9980FE394952CAC5D9723BD4DBAB23231602FFE948C72B3E9069C028355
                                                                                                    Function 00007FFD3444C7C4 Relevance: .1, Instructions: 52COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d1691ea9afad8c1fc5dc03c49a8b5f0734ad0dd2fdeabce9c897733ae4698605
                                                                                                    • Instruction ID: 32f2d9c579c49d4bdf65c82ca876699f70ce8ff9ddfe159e829a571cbaf491ee
                                                                                                    • Opcode Fuzzy Hash: d1691ea9afad8c1fc5dc03c49a8b5f0734ad0dd2fdeabce9c897733ae4698605
                                                                                                    • Instruction Fuzzy Hash: 57F09663F5DE1A0BB6A8950834921F463C2DB96270B0B41BBD94EC278BDD4EAC4341C0
                                                                                                    Function 00007FFD34233CAD Relevance: .1, Instructions: 52COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d9518d2a918bc79e64b007dac7c8fa0d0bdb24ff92ca6c40531f92e44c0c8213
                                                                                                    • Instruction ID: 9d54bc90c6a6c2d72de14cda9555b670058a5972718000e993cbef14fa7560e1
                                                                                                    • Opcode Fuzzy Hash: d9518d2a918bc79e64b007dac7c8fa0d0bdb24ff92ca6c40531f92e44c0c8213
                                                                                                    • Instruction Fuzzy Hash: 35015E35E15A1D8FEB54EB9884A66ADBBF0FF58701F54003AD04AE7192DE396882CB40
                                                                                                    Function 00007FFD3424516B Relevance: .1, Instructions: 52COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bac416e6f3a2029aa5ad87cd27e803ad4f1cf35f88e4cc56663b5837049d24ef
                                                                                                    • Instruction ID: bdd866875e29aed13640606e624d3f9cbece97bc726b8c635224529bf33f13a4
                                                                                                    • Opcode Fuzzy Hash: bac416e6f3a2029aa5ad87cd27e803ad4f1cf35f88e4cc56663b5837049d24ef
                                                                                                    • Instruction Fuzzy Hash: 9A11563061DE468FDB56DB2CC0A0E61B7E2FF56304B1445A9D19EC72A2CE2AF881CB50
                                                                                                    Function 00007FFD3423BB05 Relevance: .1, Instructions: 52COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9342ac5e430a092d241e2964fc22218819904d271e1acfda1708b2784f0ff983
                                                                                                    • Instruction ID: e9cb1e2415291fcdd4baa163de5a8987fa09a753962ff06de9103ff61fd1fc94
                                                                                                    • Opcode Fuzzy Hash: 9342ac5e430a092d241e2964fc22218819904d271e1acfda1708b2784f0ff983
                                                                                                    • Instruction Fuzzy Hash: CA012635A0D68A8FD354DB7888753E63BB2FF52300F4446BAD459D6193EE396012DB80
                                                                                                    Function 00007FFD34234DD6 Relevance: .1, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6b44583ccfe8380b743b6ec401eb742f4848f7f25abf50a76705d1f26f3bfaaa
                                                                                                    • Instruction ID: 8e4b8936104d1e18096f1d91e3cb3472da6cca80b1120fbe56f5eb7183efbb89
                                                                                                    • Opcode Fuzzy Hash: 6b44583ccfe8380b743b6ec401eb742f4848f7f25abf50a76705d1f26f3bfaaa
                                                                                                    • Instruction Fuzzy Hash: 63010475F0991D8FEBA4DB58D4A57ACB7B1FB99341F5041B9D04DE3251CE355881CB00
                                                                                                    Function 00007FFD34235E5F Relevance: .0, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f787bb5b7297aa85f7e7ec03877d30f1b26d96a893843358b51928b7bccb93d3
                                                                                                    • Instruction ID: f0143613a62d88d671b2300d60dfc88437adc69ca975aca2abd39a2dfdbe6c06
                                                                                                    • Opcode Fuzzy Hash: f787bb5b7297aa85f7e7ec03877d30f1b26d96a893843358b51928b7bccb93d3
                                                                                                    • Instruction Fuzzy Hash: 4F018034E1571C8FDB85DF58C4956ADBBF1FF59300F4402BAD489EB252CA39A882CB81
                                                                                                    Function 00007FFD34234FB7 Relevance: .0, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b257aaaed2b0bfa380e975e80df15a30deb3502cdeb3fcdfa54430c2a61f7e51
                                                                                                    • Instruction ID: 30c162cf5e00827631d90147a7ff86997dc50401056e83ffa537808bad302dd4
                                                                                                    • Opcode Fuzzy Hash: b257aaaed2b0bfa380e975e80df15a30deb3502cdeb3fcdfa54430c2a61f7e51
                                                                                                    • Instruction Fuzzy Hash: D201FC29E0E54E4FE744DA1898B97F8B3B0EF4B300F8415B8E50DEB1C7CE6E68009A40
                                                                                                    Function 00007FFD3423BF80 Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f2432ab6a9f23c67b7a038fa0afaef412ec66ec982fe19eb28de6e8d028cc53c
                                                                                                    • Instruction ID: c093a2765ea9b88f16618e42362828a57c350831789afd1528efe87288b8ad04
                                                                                                    • Opcode Fuzzy Hash: f2432ab6a9f23c67b7a038fa0afaef412ec66ec982fe19eb28de6e8d028cc53c
                                                                                                    • Instruction Fuzzy Hash: E601D621B18D0B4FDBA8EF5880A06B673E5FFA4300744457AE00DD328ADD29E8418741
                                                                                                    Function 00007FFD34238A22 Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f4a76e89d087e8057814ed1ac1f617b032e3c5a8dc95500b1a4df0fb48b4304a
                                                                                                    • Instruction ID: 967396fc177191b1e3bb825a799d2f3f87a1fdf731be775d0d667c55a816b449
                                                                                                    • Opcode Fuzzy Hash: f4a76e89d087e8057814ed1ac1f617b032e3c5a8dc95500b1a4df0fb48b4304a
                                                                                                    • Instruction Fuzzy Hash: B8F0CD39E4860E8BD720AE54A0602F9F7B4EF83311F00203AD60CEB140D77E9995DB48
                                                                                                    Function 00007FFD34234228 Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c667ca817d23aa906a0600842e4230aa13a726aa76ae0b63456d8124ac333d4a
                                                                                                    • Instruction ID: 26c5034cf7828d6273dd17bbad98a62750e97c3c3bed628d565917031f184dbe
                                                                                                    • Opcode Fuzzy Hash: c667ca817d23aa906a0600842e4230aa13a726aa76ae0b63456d8124ac333d4a
                                                                                                    • Instruction Fuzzy Hash: 8BF0CD39E4850C8BEB20AE94A4902F8F7B4EB83354F00207AD10CFB140DB7ED995CB48
                                                                                                    Function 00007FFD34238B3F Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dd265995c17814f8b2096f28b409f7433697f454a7f91f6fa24a796632026224
                                                                                                    • Instruction ID: f90ce1d8613fca0f1b86240928f107e1e5e9c105f8f3287a74ca835d18b071c4
                                                                                                    • Opcode Fuzzy Hash: dd265995c17814f8b2096f28b409f7433697f454a7f91f6fa24a796632026224
                                                                                                    • Instruction Fuzzy Hash: A4015A75E14A1D9FEB54EB98C8A52ADB7F1FB68341F40017AD409EB292DB386842CB40
                                                                                                    Function 00007FFD3423852F Relevance: .0, Instructions: 48COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9b1f811c9726afdadb76be6c8d66dac5a443f4990294547bd13f39e283dabe56
                                                                                                    • Instruction ID: 4364ac3ac46857b8f60049ee130cbd39bf499a980e3a214f8527cbb738f877a3
                                                                                                    • Opcode Fuzzy Hash: 9b1f811c9726afdadb76be6c8d66dac5a443f4990294547bd13f39e283dabe56
                                                                                                    • Instruction Fuzzy Hash: 5C017135E1560D8FEB54EF98C5956ACBBF1FF59341F50007AD049E7192CA386842CB81
                                                                                                    Function 00007FFD34234053 Relevance: .0, Instructions: 48COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fb931c56d77cbef7e0c6284aefb6cfea36bcccdfe15bdfb0b97f67c9507166ec
                                                                                                    • Instruction ID: 8fd7350745f724eb65eb5197e8cb3ab43ef1bb26cf8f1ac5c2f664a3eb584e82
                                                                                                    • Opcode Fuzzy Hash: fb931c56d77cbef7e0c6284aefb6cfea36bcccdfe15bdfb0b97f67c9507166ec
                                                                                                    • Instruction Fuzzy Hash: 16018434E046198FEB54DF68C4953A9B7F1FB59301F5040BA904DE7292CE386886CF40
                                                                                                    Function 00007FFD3444A296 Relevance: .0, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e398af3fbda1f403ac5412596e0826f10e4a23f69deab2ef3f23e93ede87ef42
                                                                                                    • Instruction ID: ca845062f31e84813e1faabe4c4c6764245c7f64ac7a88cfcfa38b23a4384219
                                                                                                    • Opcode Fuzzy Hash: e398af3fbda1f403ac5412596e0826f10e4a23f69deab2ef3f23e93ede87ef42
                                                                                                    • Instruction Fuzzy Hash: C2016731B08A1A8FFB98DA58E4A22F9B390FF51310F010175C14DD2185CA7DE445C780
                                                                                                    Function 00007FFD34235842 Relevance: .0, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1e503da2822b844021bcfc5c707e68aa3e256b4429a52e5972708cd4712a5dab
                                                                                                    • Instruction ID: 22f6940a73412e944a5a6421e631ab22a7c5828af84c5f9ee15f374a704fe62b
                                                                                                    • Opcode Fuzzy Hash: 1e503da2822b844021bcfc5c707e68aa3e256b4429a52e5972708cd4712a5dab
                                                                                                    • Instruction Fuzzy Hash: 85F01935A096098EDB95EF6490A11FCB371FF4A301FA01439D10DE7292CA7AA9819B40
                                                                                                    Function 00007FFD3444688F Relevance: .0, Instructions: 42COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ce11e71c0aa26a316d71cd6ecf5077920617711c537db3e6f04e96f31ac7cdbb
                                                                                                    • Instruction ID: 808c722c26513e94647b66bc15729586224f2c1734b0cde8d4e36e997534d0af
                                                                                                    • Opcode Fuzzy Hash: ce11e71c0aa26a316d71cd6ecf5077920617711c537db3e6f04e96f31ac7cdbb
                                                                                                    • Instruction Fuzzy Hash: 27F0BB3270C5094FEB18DA08F8926F873E4EB41331F10413FC546C3696EE29E5968BC0
                                                                                                    Function 00007FFD34246D69 Relevance: .0, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f7f357b82f256ae9eb50164b4450d530b4d45bd2a18250024d504268154c43fd
                                                                                                    • Instruction ID: f911ad5483b7f01fe401d0cb22643432ad647ef5303371c4262f0f543027426a
                                                                                                    • Opcode Fuzzy Hash: f7f357b82f256ae9eb50164b4450d530b4d45bd2a18250024d504268154c43fd
                                                                                                    • Instruction Fuzzy Hash: 2BF03A25A0E7C48FE753973888A56513FB0EF27201B4A00E7D944DF2B3D61DAC09D7A2
                                                                                                    Function 00007FFD342385A6 Relevance: .0, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b26803252ff415bff0274eba4996476cde4cfc313803623af1dbd1d8562e5e12
                                                                                                    • Instruction ID: 094aeb5bec22f9bef1e2c46897977a898e219deed121f78cb18ee5254420f10e
                                                                                                    • Opcode Fuzzy Hash: b26803252ff415bff0274eba4996476cde4cfc313803623af1dbd1d8562e5e12
                                                                                                    • Instruction Fuzzy Hash: E2F03135E0894D8FEF94DB58C4616EDB7B1EF5A310F54017AC50DEB281CA3958418B50
                                                                                                    Function 00007FFD34239E95 Relevance: .0, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 484974553f07ee514ed83cb86ec4344dc88c2ebefbcab593a1ca3676b1354f23
                                                                                                    • Instruction ID: 5dc13de56dc4ee5dd5e9f30ae430189a6b4c1af02deee69aa937986e01e75c66
                                                                                                    • Opcode Fuzzy Hash: 484974553f07ee514ed83cb86ec4344dc88c2ebefbcab593a1ca3676b1354f23
                                                                                                    • Instruction Fuzzy Hash: 62F0E246F0ED8A0FD252A22E18F41B91BE1DFD752074901F7C548EB293DC0E88828382
                                                                                                    Function 00007FFD3423AF99 Relevance: .0, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 27444203c0dd1f78f8fae4e3ef3308b7e653e01e9c491fcf1721d42776970b38
                                                                                                    • Instruction ID: b4311042a13315fd2c7850562344ad25cb10f10be3ca9b0ff10bee5752ea6958
                                                                                                    • Opcode Fuzzy Hash: 27444203c0dd1f78f8fae4e3ef3308b7e653e01e9c491fcf1721d42776970b38
                                                                                                    • Instruction Fuzzy Hash: B5F0AF30A28BCE4FDB42EF6888681BA7BF0FF5A200B4104BBD858D71A3DA785514C741
                                                                                                    Function 00007FFD34446844 Relevance: .0, Instructions: 40COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1cb6834ac9096c108a2f870fc9c830ccd2ace853499197ac35c381e24ac83b33
                                                                                                    • Instruction ID: dea6548f763f787b850813357413209299f87c7c171b23381161992cc6096469
                                                                                                    • Opcode Fuzzy Hash: 1cb6834ac9096c108a2f870fc9c830ccd2ace853499197ac35c381e24ac83b33
                                                                                                    • Instruction Fuzzy Hash: 89F0F4A3E0BDC54FE749CA2804A90657BD1EF2720470504FDD489DB276D95D2842D340
                                                                                                    Function 00007FFD34240F12 Relevance: .0, Instructions: 40COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8998cfa1fd8b8bb09ba5561612222960ee595eb97688a21318cf9d00fb1000e6
                                                                                                    • Instruction ID: dd8aa88299b6e3150a3c16975c513bdd1a7cf8a14200980eb1aac78d4bd7aae6
                                                                                                    • Opcode Fuzzy Hash: 8998cfa1fd8b8bb09ba5561612222960ee595eb97688a21318cf9d00fb1000e6
                                                                                                    • Instruction Fuzzy Hash: 99F0282460DACA1FD356973C84A46A07BE0EF47310B4941FAC548CF293DE5EBCD99751
                                                                                                    Function 00007FFD34234B1D Relevance: .0, Instructions: 40COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e8a223940a80fb8534a06da371e6c0b36788dec284e24c0e87463b0ba526820e
                                                                                                    • Instruction ID: c798ddf57e8ee3558b44908ed120ef612a6bc596610e96706db6513f3bb79254
                                                                                                    • Opcode Fuzzy Hash: e8a223940a80fb8534a06da371e6c0b36788dec284e24c0e87463b0ba526820e
                                                                                                    • Instruction Fuzzy Hash: 3701D634A09A8D8FDB44EF14C8A12E97BB1FF56300F0105BAE40CD7282CB7AE960C740
                                                                                                    Function 00007FFD342432E5 Relevance: .0, Instructions: 39COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bf39a118dbf843d6d2535454e05aca3c17996d31eb7424f5b3fc118b47fe357e
                                                                                                    • Instruction ID: 1c6d2e1d583b601f91babb209a4c56402e9ec0e1ab7f8cb2847320f71ef3d534
                                                                                                    • Opcode Fuzzy Hash: bf39a118dbf843d6d2535454e05aca3c17996d31eb7424f5b3fc118b47fe357e
                                                                                                    • Instruction Fuzzy Hash: 68F02732B18D190BEAB4AA2C60A97FA33D2EBC7350F000137D40ED2385CD1E68429381
                                                                                                    Function 00007FFD34233E50 Relevance: .0, Instructions: 38COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 046fb5d1a02d9c2f0efa566224013a8fd0bc93b8017a3ef3eedc736b603d3488
                                                                                                    • Instruction ID: 650ebc08f4a6bafc4c2227f1cf2cddf1450c1308aacaf2f5fed2dbac6e047b17
                                                                                                    • Opcode Fuzzy Hash: 046fb5d1a02d9c2f0efa566224013a8fd0bc93b8017a3ef3eedc736b603d3488
                                                                                                    • Instruction Fuzzy Hash: 3EF08534D0860C8BD720AE69A0507F9F7B4EF4B309F44213AD00CAA180C37A9AA5CB18
                                                                                                    Function 00007FFD34244F35 Relevance: .0, Instructions: 37COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6a40d7dc08a5c9f733bfb81ac1938db2d2f172daae10fbb9393c7777bab27ae3
                                                                                                    • Instruction ID: 67702b4d515f44f5a32b9cf191ba8a6252a67184a747d48ceaeafa32facc0ee0
                                                                                                    • Opcode Fuzzy Hash: 6a40d7dc08a5c9f733bfb81ac1938db2d2f172daae10fbb9393c7777bab27ae3
                                                                                                    • Instruction Fuzzy Hash: 64F0E935A18A4A4FD355D71C84945A477E0FF16310B9501B6D548CB392DE6EF8908750
                                                                                                    Function 00007FFD34235038 Relevance: .0, Instructions: 37COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e325c1eaafaaab2ae4f97daf53eb297c56aa7a26d075391e38539a2f8f9173fd
                                                                                                    • Instruction ID: 189b35d93ed5ea2df9d040011e2f6b825f0ecdb63d3adf316199c92f0c59084a
                                                                                                    • Opcode Fuzzy Hash: e325c1eaafaaab2ae4f97daf53eb297c56aa7a26d075391e38539a2f8f9173fd
                                                                                                    • Instruction Fuzzy Hash: 38F0F971B099298EDBA5DB5898616A8B371EB4A351F0041B6D05DE3241CE3668818B40
                                                                                                    Function 00007FFD3423BC38 Relevance: .0, Instructions: 37COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b4c45a34ab6a7616b8ea866b3d72e6adb6bea2dee41356e0c2e52f4bc659142c
                                                                                                    • Instruction ID: dd1b8b13a712742a6501d5f16333a71fab0557f5de688ef88e5460eed8bd1f7a
                                                                                                    • Opcode Fuzzy Hash: b4c45a34ab6a7616b8ea866b3d72e6adb6bea2dee41356e0c2e52f4bc659142c
                                                                                                    • Instruction Fuzzy Hash: A2F01969E2450D9FEB94EB98C8A5AECB7B1FF89B00F840075E148F7292CE2968418700
                                                                                                    Function 00007FFD34446CE8 Relevance: .0, Instructions: 34COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d1421343c380d392ee1f30c9533e9f1845fb6e609d5442c1d971715b4a6b9a9e
                                                                                                    • Instruction ID: 6f7e38fbb7f7434276c66c54f7d82d8b347e35ba8374ea9499b741b83230fc63
                                                                                                    • Opcode Fuzzy Hash: d1421343c380d392ee1f30c9533e9f1845fb6e609d5442c1d971715b4a6b9a9e
                                                                                                    • Instruction Fuzzy Hash: C8F09C20B1C5198BEBA4EB58C4A2BE9B7A6EF99340F604178D44ED3296CD28A8458F40
                                                                                                    Function 00007FFD34242D68 Relevance: .0, Instructions: 34COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 92f8ca2dd78c1f25935d87b7238b8db02c5cbadf0fedf0200e6fef346101d8b0
                                                                                                    • Instruction ID: c81fbcc431ff9587f3757881375c9b3d798ac8240cdcd028e132be0bbcd02686
                                                                                                    • Opcode Fuzzy Hash: 92f8ca2dd78c1f25935d87b7238b8db02c5cbadf0fedf0200e6fef346101d8b0
                                                                                                    • Instruction Fuzzy Hash: 4DF05430A08E088ED794EB288058B3B7AD2EFE9315F144A3FA48DE3365DE74A5448781
                                                                                                    Function 00007FFD34248FC4 Relevance: .0, Instructions: 34COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: af360b509913427e20a78405d548ed4812852afde2a423ed8b741b0df474725a
                                                                                                    • Instruction ID: 0bf56d5e3a391d88fb63418d5496c02a01fce15fdaaf3d5080fdbec5ca30716a
                                                                                                    • Opcode Fuzzy Hash: af360b509913427e20a78405d548ed4812852afde2a423ed8b741b0df474725a
                                                                                                    • Instruction Fuzzy Hash: 18F0BE2A70EA494FDBA0CA0CE4D4B61B3E2FBAA321F4902B4D54DC7255D536AC01C780
                                                                                                    Function 00007FFD34235265 Relevance: .0, Instructions: 34COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3c5ae230aaa9953c165eb9e84c1e10ffb2ced5d39523be42e9b20ad7923cfee9
                                                                                                    • Instruction ID: 24cbde344141cc47117b6cc5d86c7ad54a7d124fb27656d11bc7dbd2c2f78030
                                                                                                    • Opcode Fuzzy Hash: 3c5ae230aaa9953c165eb9e84c1e10ffb2ced5d39523be42e9b20ad7923cfee9
                                                                                                    • Instruction Fuzzy Hash: 9AF04274E1491D9FDF84EF98D895AEDBBF1FF68301F50056AE409E3291DA34A8418B90
                                                                                                    Function 00007FFD34235E0A Relevance: .0, Instructions: 33COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3ed716a0a17d0dd9a4b659a5d6904ea4401c54fd541b729b25a8cd0d036ec928
                                                                                                    • Instruction ID: 8f2451ebc0c2d0f40d5ccb33e827be29424cec647b7b8dc5f45b2f8e148753e4
                                                                                                    • Opcode Fuzzy Hash: 3ed716a0a17d0dd9a4b659a5d6904ea4401c54fd541b729b25a8cd0d036ec928
                                                                                                    • Instruction Fuzzy Hash: A9F03071A199498FEB94DB688451B99B7B1EF59310F5041A6C00DE7246DD3598828B80
                                                                                                    Function 00007FFD34234E5C Relevance: .0, Instructions: 33COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 91fdf7e5e2d73ccd82e5e524364d5d3deac72ad3b626e0b9d8e215ef9a95aed9
                                                                                                    • Instruction ID: c76b02769cbefe1c559a90b16b268bc6f491187a3efac6ad45dea4ce8565fd4c
                                                                                                    • Opcode Fuzzy Hash: 91fdf7e5e2d73ccd82e5e524364d5d3deac72ad3b626e0b9d8e215ef9a95aed9
                                                                                                    • Instruction Fuzzy Hash: C6F01774E0451E8FDB58EB6494A53BDB6B2BF5A300F5000B9D10EF6282CB399980DB90
                                                                                                    Function 00007FFD34443EDC Relevance: .0, Instructions: 32COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 67f6c78042836790eba17300cbb4041b15c3a1342f4775502bef79dbb101d865
                                                                                                    • Instruction ID: 327066a33a2f66ed5d71b975967732ce98d8d118dfed0c71f0933751a97ef610
                                                                                                    • Opcode Fuzzy Hash: 67f6c78042836790eba17300cbb4041b15c3a1342f4775502bef79dbb101d865
                                                                                                    • Instruction Fuzzy Hash: 40E06D317088098FE6A0D60CE495774B3D1FF99321B2201B2D00DC3255DE69DC014740
                                                                                                    Function 00007FFD34452F55 Relevance: .0, Instructions: 32COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 03595126f7eef218e244f8150c387adecff05934c76e8fa51549889e4ef81e19
                                                                                                    • Instruction ID: e65241e8a78612b2a0d7339abf7681222a211393e7a1472a1610578c673f0281
                                                                                                    • Opcode Fuzzy Hash: 03595126f7eef218e244f8150c387adecff05934c76e8fa51549889e4ef81e19
                                                                                                    • Instruction Fuzzy Hash: E9F09035D0D68C9FDB46DF2488616AA7FB0EF46200F0881EBE448C7193C63856148741
                                                                                                    Function 00007FFD34238EFB Relevance: .0, Instructions: 31COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ecfc8a74304e23d4b73dfaa1d702b628a4aebdce6be3b3ab8715e2a5267e2332
                                                                                                    • Instruction ID: 3084b1152c6a24301e1a8d88e4de5be23bedd57862795e66cea5e4fe6e9f6124
                                                                                                    • Opcode Fuzzy Hash: ecfc8a74304e23d4b73dfaa1d702b628a4aebdce6be3b3ab8715e2a5267e2332
                                                                                                    • Instruction Fuzzy Hash: 13F0D474E1892C8EDB94EB5898A07ECB3B5FB5A301F9000AAE50DEB281CB795940DB00
                                                                                                    Function 00007FFD3423814A Relevance: .0, Instructions: 31COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6d162aed8b706db314227bf9b4d047846db1010395816f1758f18779fb1b47be
                                                                                                    • Instruction ID: ed15ef5e85b7bed45afeacbda4369195797dc93273eeb91c9400f966fa92b128
                                                                                                    • Opcode Fuzzy Hash: 6d162aed8b706db314227bf9b4d047846db1010395816f1758f18779fb1b47be
                                                                                                    • Instruction Fuzzy Hash: 0DF0347AE0422D8FDB14DBA5D4A06FEB6B0FB41310F40013AD169BB2D2CA3D2905DF90
                                                                                                    Function 00007FFD342380DD Relevance: .0, Instructions: 29COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f737bd998dc353ee7cb78779048033bd94844f7d4700cb9e3184976d8316a1d9
                                                                                                    • Instruction ID: b83629b005ee2094bb32235922891f07f4de85e9dc66782ef5557b77a50e975d
                                                                                                    • Opcode Fuzzy Hash: f737bd998dc353ee7cb78779048033bd94844f7d4700cb9e3184976d8316a1d9
                                                                                                    • Instruction Fuzzy Hash: 17F06574A08A1E4EE7A8EA1484253FA72E1FB45300F4009BBA10EF7285DF795E94DB90
                                                                                                    Function 00007FFD34233962 Relevance: .0, Instructions: 29COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bc6567adc68d9a18e069110401a68828c407712a42f23fe5abee91e77fb4d638
                                                                                                    • Instruction ID: 46ccd3d6ecc48e2f48f704be7bff8e7f24aab6b407c7382c1f9a7ae91719b450
                                                                                                    • Opcode Fuzzy Hash: bc6567adc68d9a18e069110401a68828c407712a42f23fe5abee91e77fb4d638
                                                                                                    • Instruction Fuzzy Hash: BEE0E535E0991C9FEB50DB58D4A4AEDF7F1FF95310F54017AC04CFB156CA2958028740
                                                                                                    Function 00007FFD344472FD Relevance: .0, Instructions: 28COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a2001c31714c45af80da39361b5cf8b40ebc533d8c9d8876595ae5d26e2e8093
                                                                                                    • Instruction ID: 3d63641989f45870191273bcf41cb88329141dcb6088cfd7af1ecd3ec5ba021f
                                                                                                    • Opcode Fuzzy Hash: a2001c31714c45af80da39361b5cf8b40ebc533d8c9d8876595ae5d26e2e8093
                                                                                                    • Instruction Fuzzy Hash: 93E0863670C609CFEB48EA1CE4924F8B3A0FB46330710017AD20AC3546D627F4538B80
                                                                                                    Function 00007FFD34235DB9 Relevance: .0, Instructions: 28COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0ae399b69151dd6ac05db9cb9c457b685fe4ec65e561283622a7f393b826485c
                                                                                                    • Instruction ID: 0029799f36aba6b96a87d0e88ab9170cba7962d934f2d67bc722a6596392e00d
                                                                                                    • Opcode Fuzzy Hash: 0ae399b69151dd6ac05db9cb9c457b685fe4ec65e561283622a7f393b826485c
                                                                                                    • Instruction Fuzzy Hash: 6BF01230D196488FDB51EF68D89669CBBF0FF19311F5040AAD44DE7252DE346D81CB41
                                                                                                    Function 00007FFD3444CB7F Relevance: .0, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 615e5edfa8d516a32055bbd8c65808904a56d917714318c0dcdf3b07ace3dd08
                                                                                                    • Instruction ID: 3c9ecf9fad35eadfa3ceaf8dfebff698b7e01492367a31cd017dd5fb5b30d31d
                                                                                                    • Opcode Fuzzy Hash: 615e5edfa8d516a32055bbd8c65808904a56d917714318c0dcdf3b07ace3dd08
                                                                                                    • Instruction Fuzzy Hash: BCF0D435E0450A8FDB18DF94D4A08EDB3B2FB59310B41813AD41AE7394DA78A901CF40
                                                                                                    Function 00007FFD34239D15 Relevance: .0, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8fb238ecfbaffc78ab90a8cc12d1a626ff47728a4a9922cd8334b5accf65f275
                                                                                                    • Instruction ID: 7846c2d447375cf4097dde943fcdb2bda62c41459d7e190c7cba961effb9889e
                                                                                                    • Opcode Fuzzy Hash: 8fb238ecfbaffc78ab90a8cc12d1a626ff47728a4a9922cd8334b5accf65f275
                                                                                                    • Instruction Fuzzy Hash: 4AE0DF1AB1DA980BE665A63E18F70A4BBE1EF8721070D48BEC658DA282DC5EB8415241
                                                                                                    Function 00007FFD34233B22 Relevance: .0, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 52ee47627766924f52e0015f06502ac51eb3b4c96d93816f962b45b6f0ce846f
                                                                                                    • Instruction ID: 92b05e0120f1e3f0c1d54dbb6a60d7da6fd066614e31c68eae5c3486e5bf9c15
                                                                                                    • Opcode Fuzzy Hash: 52ee47627766924f52e0015f06502ac51eb3b4c96d93816f962b45b6f0ce846f
                                                                                                    • Instruction Fuzzy Hash: 93E09235E0564DAFEB80DB64D4A5AEDF7F1FF69300B54016AC548FB252CA395842CB50
                                                                                                    Function 00007FFD34238075 Relevance: .0, Instructions: 24COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4d52e954db0e11eac442607cc0a1b812575432eba927cd89afee74bcd785fb0b
                                                                                                    • Instruction ID: ba059138d60c4ae7b25fa4ea6535e691b4ff80ca7fb7394d654c316cd6d1a661
                                                                                                    • Opcode Fuzzy Hash: 4d52e954db0e11eac442607cc0a1b812575432eba927cd89afee74bcd785fb0b
                                                                                                    • Instruction Fuzzy Hash: 85E0E535E0441D8ECB64EBA8E8517ECB7B1FF44201F4001BAD00DE3242CA3669818B00
                                                                                                    Function 00007FFD34235C19 Relevance: .0, Instructions: 24COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 251e1f72edf0ace08b02938fdeaaa91d1420c842206acae46e13cd212f03f3fd
                                                                                                    • Instruction ID: 590b00219fd5a32e33eaf65c66faeed97789643e5f8651090c30878b08e1bc80
                                                                                                    • Opcode Fuzzy Hash: 251e1f72edf0ace08b02938fdeaaa91d1420c842206acae46e13cd212f03f3fd
                                                                                                    • Instruction Fuzzy Hash: 89E0E579A0165C8FD784DBA490A57ECBAF1FB69302FA0446E8009E7295CA7A4981CB50
                                                                                                    Function 00007FFD34239D8A Relevance: .0, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: eb297a3dcff1d688c8fd92004c2b0ae1d82d869f0d0d477f52f4adb488319e8b
                                                                                                    • Instruction ID: 6950bfb0cfffebf6b948b18bd1663bad5f2b25246f780a05237a7454ae5a5137
                                                                                                    • Opcode Fuzzy Hash: eb297a3dcff1d688c8fd92004c2b0ae1d82d869f0d0d477f52f4adb488319e8b
                                                                                                    • Instruction Fuzzy Hash: 6CD02B09B1C91D06D538B23E34E21A1BA91EBCA51074486B6810CD7186DC5E5C8242C1
                                                                                                    Function 00007FFD3423D9BA Relevance: .0, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7aee214b97b023ef6a74f405e6ad274223ad492a52a62ae447bf64d404a401e8
                                                                                                    • Instruction ID: 5db7234c3a203d2cd5f01e72285c38dc238cf01b8d336d73cfc5f43abffda930
                                                                                                    • Opcode Fuzzy Hash: 7aee214b97b023ef6a74f405e6ad274223ad492a52a62ae447bf64d404a401e8
                                                                                                    • Instruction Fuzzy Hash: 9EE08630608A088FCB08EF1CD484C55B7E1EBA931574546BDE00DCB2B2CE36E985CB41
                                                                                                    Function 00007FFD342382F4 Relevance: .0, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4e49e01de3468feb3515137b2e01042e675bf5d91bf9424d3b908b6afe5454a9
                                                                                                    • Instruction ID: fd3016b4e022fce15e6f9f2392a3378ed4019e98f3d47446d5e27c17fa235b6d
                                                                                                    • Opcode Fuzzy Hash: 4e49e01de3468feb3515137b2e01042e675bf5d91bf9424d3b908b6afe5454a9
                                                                                                    • Instruction Fuzzy Hash: D9F01530A0656D8FDBA4DB18C8687ACB6F1FF95341F5042AAC00AEB296CA381990DF10
                                                                                                    Function 00007FFD3423E938 Relevance: .0, Instructions: 20COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b667fcb40bafa14dd45e460e678d6ece9dcfde7b95b7baa89a7d78162e61f4d1
                                                                                                    • Instruction ID: 79d1e25385a44ab2cb3e65c7f844cf0cf30e80d6f5eb633b55f52cf446d9aac8
                                                                                                    • Opcode Fuzzy Hash: b667fcb40bafa14dd45e460e678d6ece9dcfde7b95b7baa89a7d78162e61f4d1
                                                                                                    • Instruction Fuzzy Hash: 66D05E34B054188FEA90F62CD498B6626E4DB67301F5000B1B909EB3B6C92EEC40D7D0
                                                                                                    Function 00007FFD3423D924 Relevance: .0, Instructions: 20COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 541d3c9b74baa963822993fd045bade337ac125c8d7b9b25f93f0e3243d63361
                                                                                                    • Instruction ID: 18ec21584509a277982dfb9cac6b7c4868c2ed58d3247d216bcc534f9c6dd9eb
                                                                                                    • Opcode Fuzzy Hash: 541d3c9b74baa963822993fd045bade337ac125c8d7b9b25f93f0e3243d63361
                                                                                                    • Instruction Fuzzy Hash: EBD01266B1580E4FD790D69CD8A51BCB7B1FF58200B000276D009F31A6CD1968018650
                                                                                                    Function 00007FFD34446D42 Relevance: .0, Instructions: 16COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1477bc75ad6f223c106d1766cd5494e6015f4b1febc9367cc2b5c7c41f8053c3
                                                                                                    • Instruction ID: 11055a3c9c16904548cd7f523cc3975f3ba8e1b6118412a04f68062ee82b9ea9
                                                                                                    • Opcode Fuzzy Hash: 1477bc75ad6f223c106d1766cd5494e6015f4b1febc9367cc2b5c7c41f8053c3
                                                                                                    • Instruction Fuzzy Hash: 92D09E34705909CFD788EF68C4A1665F3A2FF99300B544169910AD769ACE79E881CB80
                                                                                                    Function 00007FFD34235D1C Relevance: .0, Instructions: 16COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7dc0d506ec05ec1d1539ee371e14b8cc640316e9adb9a9359f345991fa4ef6fb
                                                                                                    • Instruction ID: b49fa90a693a6963c546fc9a859ea73cf3bd10fc5e57a482582060b16bbaab7d
                                                                                                    • Opcode Fuzzy Hash: 7dc0d506ec05ec1d1539ee371e14b8cc640316e9adb9a9359f345991fa4ef6fb
                                                                                                    • Instruction Fuzzy Hash: 08D09E75A04A0D8FEBC5DF58C4A45A9B7B1FF95304B500125C04CEB255CE36A8429B40
                                                                                                    Function 00007FFD342352B5 Relevance: .0, Instructions: 16COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7566ae4106677087ad59f747064025894893e58e31a41c73f35525343399ac21
                                                                                                    • Instruction ID: 29e8002e540cd50e74cfbf0f43146e7194ce694339f1a64305cb2164108f568a
                                                                                                    • Opcode Fuzzy Hash: 7566ae4106677087ad59f747064025894893e58e31a41c73f35525343399ac21
                                                                                                    • Instruction Fuzzy Hash: CFC01232F4541D8ADB51D988E4614FDF334DB8B211F142431C11DF3082C935A4125680
                                                                                                    Function 00007FFD34238DE1 Relevance: .0, Instructions: 14COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a35231eded523062a7139a9e599ec88d0e52a53656054bd6f137bc20dc504705
                                                                                                    • Instruction ID: a3f7dad07d932dfd98126ffcb165c25cfc8298412a55cdf8069c616016b6d387
                                                                                                    • Opcode Fuzzy Hash: a35231eded523062a7139a9e599ec88d0e52a53656054bd6f137bc20dc504705
                                                                                                    • Instruction Fuzzy Hash: 82D01270805A2D9F8B44DB58985D6DDB7F2FB68340710004FD00AF3242C7700850CB90
                                                                                                    Function 00007FFD34233943 Relevance: .0, Instructions: 13COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1f5be2185884c3ca36f5f8bf415b5e19a56164b106f7fa035fc71c5407267794
                                                                                                    • Instruction ID: e621fb8145de667b35a1bbebbdbf1581a76cfe4e0b357132ead442af5f60e3d9
                                                                                                    • Opcode Fuzzy Hash: 1f5be2185884c3ca36f5f8bf415b5e19a56164b106f7fa035fc71c5407267794
                                                                                                    • Instruction Fuzzy Hash: 41D0C970E14A098F9B40EF68C086899BBF0EB29311F64002AD048E7211DA35A8C18BD0
                                                                                                    Function 00007FFD34233B03 Relevance: .0, Instructions: 13COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1f5be2185884c3ca36f5f8bf415b5e19a56164b106f7fa035fc71c5407267794
                                                                                                    • Instruction ID: e621fb8145de667b35a1bbebbdbf1581a76cfe4e0b357132ead442af5f60e3d9
                                                                                                    • Opcode Fuzzy Hash: 1f5be2185884c3ca36f5f8bf415b5e19a56164b106f7fa035fc71c5407267794
                                                                                                    • Instruction Fuzzy Hash: 41D0C970E14A098F9B40EF68C086899BBF0EB29311F64002AD048E7211DA35A8C18BD0
                                                                                                    Function 00007FFD342335C7 Relevance: .0, Instructions: 12COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5fd17a0eb9396347405b1bd8c787333e79abdaed59a387e9781cb35cf0d16eca
                                                                                                    • Instruction ID: 97e9253b9daead735e100736b138bf9b680bb584b25754758fd66a4bbe312371
                                                                                                    • Opcode Fuzzy Hash: 5fd17a0eb9396347405b1bd8c787333e79abdaed59a387e9781cb35cf0d16eca
                                                                                                    • Instruction Fuzzy Hash: 30D09275A144098FD744DF54C0A19EAB6F0BF9A340F50002A904AFA296DA292915CBA1
                                                                                                    Function 00007FFD3424AF9E Relevance: .0, Instructions: 12COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f56bec50c74c032315b4b5670a20aa457ad7872fd0075ec18ba0f3c8ea51fc00
                                                                                                    • Instruction ID: 89d19ae41b57f3a1140dd52b46fc84761147817fd36b310f3583237e80bba6fe
                                                                                                    • Opcode Fuzzy Hash: f56bec50c74c032315b4b5670a20aa457ad7872fd0075ec18ba0f3c8ea51fc00
                                                                                                    • Instruction Fuzzy Hash: A9C02B34E48008C6DB108D0090520F47338EF47200F122030D50EE3151CD1B69109600
                                                                                                    Function 00007FFD34235357 Relevance: .0, Instructions: 11COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: db323330bb808700648753e7fb8f520fda2f7451a527e5072baa2be60b3591f5
                                                                                                    • Instruction ID: 5a403ec126e5e0901a769c0f21990856431bc2cb59dca0cc660d03525729d7c1
                                                                                                    • Opcode Fuzzy Hash: db323330bb808700648753e7fb8f520fda2f7451a527e5072baa2be60b3591f5
                                                                                                    • Instruction Fuzzy Hash: ABC09B36D4540D869710EA50D4B10F573B0FF47744F003875F54DDB456DE1B79145551
                                                                                                    Function 00007FFD3423358B Relevance: .0, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2fec41de9c7a19dce8df9bda4ac0fd502c2f9ab7a41352a23dbeebd6bd1a2f26
                                                                                                    • Instruction ID: 223e75ff4fec852fc2a60fd1def01f85d4242926928da6aef04519ff5d5a838e
                                                                                                    • Opcode Fuzzy Hash: 2fec41de9c7a19dce8df9bda4ac0fd502c2f9ab7a41352a23dbeebd6bd1a2f26
                                                                                                    • Instruction Fuzzy Hash: 7FC08CB4E0000CAFC348DF14C0725B8B7F2FBDA300B40806E801AE7391DA391810CF80
                                                                                                    Function 00007FFD3423D742 Relevance: .0, Instructions: 7COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 891c8ebdc47e25b95cd91330f284709623847cea0646f76fe200c7c439379fbc
                                                                                                    • Instruction ID: fee4f7d8d93b245527db9f0d08958b34c2a97feb41ae22c6a51aba1e54737ab9
                                                                                                    • Opcode Fuzzy Hash: 891c8ebdc47e25b95cd91330f284709623847cea0646f76fe200c7c439379fbc
                                                                                                    • Instruction Fuzzy Hash: 9EB09226B1842A8AE2A0F2D884726A9A2667F95310B504031E00AFA28BCC19680082A0
                                                                                                    Function 00007FFD342381AE Relevance: .0, Instructions: 5COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ffc7e38a4b566887ae19b07f6697c1e90aaf893f9510832e1be54e79bf016010
                                                                                                    • Instruction ID: dc5bafbbf401e5cd0747b67cb93e9a1649fc120ff6aedbf2be46cd06e1c52c2d
                                                                                                    • Opcode Fuzzy Hash: ffc7e38a4b566887ae19b07f6697c1e90aaf893f9510832e1be54e79bf016010
                                                                                                    • Instruction Fuzzy Hash: 8CA002B590192C8FD7D4DB595469765A9E2B7B8201FA480DB540EF2251DD300DD48BB4

                                                                                                    Non-executed Functions

                                                                                                    Function 00007FFD3444B9EE Relevance: 10.2, Strings: 8, Instructions: 245COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 0`L4$0`L4$8fL4$H^L4$H^L4$9_H$_L4$_L4
                                                                                                    • API String ID: 0-2964577207
                                                                                                    • Opcode ID: 16eca13be8feaea006343b250e6997a7ca277cc6d6a7ec56599c3f683fa04a57
                                                                                                    • Instruction ID: 5ba42e5025f51a802f821c4af348ba7ceca7e0987f937dc0d890bc440a74057d
                                                                                                    • Opcode Fuzzy Hash: 16eca13be8feaea006343b250e6997a7ca277cc6d6a7ec56599c3f683fa04a57
                                                                                                    • Instruction Fuzzy Hash: 7951C312B1CD9A4BEEB4AA5C24A52B973C2EF9975170541BAD90DD33CEDD2DEC4243C0
                                                                                                    Function 00007FFD3444F7FA Relevance: 9.0, Strings: 7, Instructions: 227COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2749133420.00007FFD34440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34440000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34440000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (!M4$8!M4$H!M4$L,_^$N,_I$X!M4$^
                                                                                                    • API String ID: 0-113229123
                                                                                                    • Opcode ID: 9710fa02aabe2fe5c9fcbd57e31f3d4be61c2e677b00de2f3c8d22b896548e31
                                                                                                    • Instruction ID: b5134cfafa072a63ad5401491ace3d93869728dd1f635f272b165f73c8607ebc
                                                                                                    • Opcode Fuzzy Hash: 9710fa02aabe2fe5c9fcbd57e31f3d4be61c2e677b00de2f3c8d22b896548e31
                                                                                                    • Instruction Fuzzy Hash: E4516DA360E7942BE720AAEC7CA91FA7B90EF43335F04007BD58CCA197D958A4469381
                                                                                                    Function 00007FFD3423CC3F Relevance: 5.0, Strings: 4, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.2733804989.00007FFD34230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34230000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_7ffd34230000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 13x$2;x$3Cx$4Kx
                                                                                                    • API String ID: 0-455930644
                                                                                                    • Opcode ID: d82e35dfc5be12207ef09cacf702a168a5408147636eacdf58e9e5ee4c31187f
                                                                                                    • Instruction ID: e5e8ff5fed5301bab63d0ac1c6b58b60670764fbc03f65f28ad13691b8764d09
                                                                                                    • Opcode Fuzzy Hash: d82e35dfc5be12207ef09cacf702a168a5408147636eacdf58e9e5ee4c31187f
                                                                                                    • Instruction Fuzzy Hash: DDF0586B73643946912033DDF8311ED739CDFCB23A79853B3D248DF5830C8A240A92AA

                                                                                                    Executed Functions

                                                                                                    Function 04D985C0 Relevance: 1.7, Strings: 1, Instructions: 430COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000003.2315032140.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_3_4d90000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: d
                                                                                                    • API String ID: 0-2564639436
                                                                                                    • Opcode ID: 77b4c7cafc8af662e074aaadbc6eabf418d0e24312be2f2ba382a9f491e8a078
                                                                                                    • Instruction ID: 92885532b90c73c531862fc8c3e5014cade1b8cd71981e3a29acef2de3f6780c
                                                                                                    • Opcode Fuzzy Hash: 77b4c7cafc8af662e074aaadbc6eabf418d0e24312be2f2ba382a9f491e8a078
                                                                                                    • Instruction Fuzzy Hash: 95F18B34A006058FDB24DF19C484A6ABBF2FF8A714B15CA69E45ADB761D730FC42DB90
                                                                                                    Function 04D9E7D8 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000003.2315032140.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_3_4d90000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: L<'t
                                                                                                    • API String ID: 0-1348084525
                                                                                                    • Opcode ID: 8d621270936c7b1743da3ee66da36baa0b24e53855dc7f9593c34d69aefd1b9f
                                                                                                    • Instruction ID: 31e8c48a266bfa4d20831be034c01a36b9b2fe09917229a9f6d3991c18d37db7
                                                                                                    • Opcode Fuzzy Hash: 8d621270936c7b1743da3ee66da36baa0b24e53855dc7f9593c34d69aefd1b9f
                                                                                                    • Instruction Fuzzy Hash: E0615834B002059BDF18EFAAD59466EB7F2FF88704B248429D446EB390EF75AC058B91
                                                                                                    Function 04D9E7D7 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000003.2315032140.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_3_4d90000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: L<'t
                                                                                                    • API String ID: 0-1348084525
                                                                                                    • Opcode ID: 29b21e3ced495da07df7f8e0894ac0b3d0c6821d01504fcac7b498a4f8db6c95
                                                                                                    • Instruction ID: d18e30e955d0b442f3e490454530df47873f450fc8624fa92e7aa163a1af44d6
                                                                                                    • Opcode Fuzzy Hash: 29b21e3ced495da07df7f8e0894ac0b3d0c6821d01504fcac7b498a4f8db6c95
                                                                                                    • Instruction Fuzzy Hash: 10419E31B001058BDB18EFBAD4546AEBBF6FFC8604B24C429D456E7390DF71AD058B91
                                                                                                    Function 04D9E1F0 Relevance: .3, Instructions: 326COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000003.2315032140.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_3_4d90000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fffed782adc37a6c77329082cdef1d104fe58a369e53668cc4a9418347981aab
                                                                                                    • Instruction ID: 0dccb2ddf9bac3df0e4f89c5c99ea2cd908d7e03eeb98bdc0713d94ef072d14b
                                                                                                    • Opcode Fuzzy Hash: fffed782adc37a6c77329082cdef1d104fe58a369e53668cc4a9418347981aab
                                                                                                    • Instruction Fuzzy Hash: 53C14974B102159BDF14DFA9D594AAEBBF2BF88304F148429D406EB394EB74EC06CB51
                                                                                                    Function 04D96048 Relevance: .2, Instructions: 191COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000003.2315032140.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_3_4d90000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 398a52082ec39a187ddb60178b6aef0ddd9dfebe8395bf02d2405a18b09c5b55
                                                                                                    • Instruction ID: 99b6f28ec37e158c47243268190e3cdc898d5604854c09ed3124e9d6c3ff4c2d
                                                                                                    • Opcode Fuzzy Hash: 398a52082ec39a187ddb60178b6aef0ddd9dfebe8395bf02d2405a18b09c5b55
                                                                                                    • Instruction Fuzzy Hash: 2D711A31A00309DFEB05EBE4D460BDEBBB6FF88304F148429E646673A1DE35AD059B91
                                                                                                    Function 04D9C4D8 Relevance: .1, Instructions: 142COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000003.2315032140.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_3_4d90000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7b9dcd237985deccfc1e2636d033c565b5ec7c2555f4bbb0e54a32ab0d561ffe
                                                                                                    • Instruction ID: bdfca909ad45125cf7d434c38f7986f6a726ab49664effae0ec8b4cb47cb5eef
                                                                                                    • Opcode Fuzzy Hash: 7b9dcd237985deccfc1e2636d033c565b5ec7c2555f4bbb0e54a32ab0d561ffe
                                                                                                    • Instruction Fuzzy Hash: 2251B1313146418FD725DF35D458A2ABBE2FFC5700B18C669D546CB6A5DA34FC06CB90
                                                                                                    Function 04D9E428 Relevance: .1, Instructions: 132COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000003.2315032140.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_3_4d90000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1fa1d5905cf35f0c2312eaf3f3d4647f8a3945ddf85e7218026390b016638888
                                                                                                    • Instruction ID: 481e8eec0c29dc022648f2d061eebec12014e265e4cf208c59d4d31da8cea2c3
                                                                                                    • Opcode Fuzzy Hash: 1fa1d5905cf35f0c2312eaf3f3d4647f8a3945ddf85e7218026390b016638888
                                                                                                    • Instruction Fuzzy Hash: CD416D70B10215DFDB15DF69D954AAEBBF2BF88604F144429D406EB391EF30EC018B91
                                                                                                    Function 04D985B0 Relevance: .1, Instructions: 118COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000003.2315032140.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_3_4d90000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a82b5c390471e6de506973e86445ee4e6f2f9de340be6b640d3206aa92d52470
                                                                                                    • Instruction ID: d9f0a6d00f4d4b030c5735284e5ea1e2cca330a67b49bce2c3316dbf9f0b920b
                                                                                                    • Opcode Fuzzy Hash: a82b5c390471e6de506973e86445ee4e6f2f9de340be6b640d3206aa92d52470
                                                                                                    • Instruction Fuzzy Hash: 42418974A006048FDB14EF59C484A6ABBF2FF8A714B158969E45AEB361CB30FC40DF94
                                                                                                    Function 04D9C558 Relevance: .1, Instructions: 85COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000003.2315032140.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_3_4d90000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: feafc0aeb0bfdff5e2bd6739d8fe0a2d6caf78de24fe7e332b5060cceac4a83a
                                                                                                    • Instruction ID: a42657bfccc34353d1aee13850be59fb20461f0a359ebbecdfa1a31c55b66bae
                                                                                                    • Opcode Fuzzy Hash: feafc0aeb0bfdff5e2bd6739d8fe0a2d6caf78de24fe7e332b5060cceac4a83a
                                                                                                    • Instruction Fuzzy Hash: 31319E35214642CFC721DF25D598926FBF2FF897107188AA8D4868B776DA34FC06CB90
                                                                                                    Function 04D945C8 Relevance: .1, Instructions: 83COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000003.2315032140.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_3_4d90000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 09419b99a5ec049da967b85a6f26ef43c89b78834f7fbda4d2b88d9f71a8f499
                                                                                                    • Instruction ID: 405f5bfacdb96e258abf8ea3d9c025e088d1d59c14a97fbcdae76e31922f988a
                                                                                                    • Opcode Fuzzy Hash: 09419b99a5ec049da967b85a6f26ef43c89b78834f7fbda4d2b88d9f71a8f499
                                                                                                    • Instruction Fuzzy Hash: 4E21F2757042009FEB08DB6DE4549AE77E7EFCD31071980A9E54ADB392EE21EC038B91
                                                                                                    Function 04D967E3 Relevance: .0, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000003.2315032140.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_3_4d90000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d9667a8d6e83628122b1fc2c64ea234b114c2d7a474b9bf7fde837755636f1d7
                                                                                                    • Instruction ID: 6d4e6fb2349738f0c0e151d3faca5491f6724fff420761b1c0e9ba6a91039906
                                                                                                    • Opcode Fuzzy Hash: d9667a8d6e83628122b1fc2c64ea234b114c2d7a474b9bf7fde837755636f1d7
                                                                                                    • Instruction Fuzzy Hash: A4016170E00209EFEF44EFB8D59159CBBF1EF45308B108198D414AB292DA317A06DB50
                                                                                                    Function 04D946C8 Relevance: .0, Instructions: 44COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000003.2315032140.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_3_4d90000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 052e71ec75337dfee81512b4aac0ff4c2bd5ac3959401dff7aa888defebadfc2
                                                                                                    • Instruction ID: 69f6bfd1834c447f8019a154d2982bf29c9e585b7a19a14179c2b5807baba278
                                                                                                    • Opcode Fuzzy Hash: 052e71ec75337dfee81512b4aac0ff4c2bd5ac3959401dff7aa888defebadfc2
                                                                                                    • Instruction Fuzzy Hash: 9E018FB4D0934CAFDB20EBA8D85589DBFF4EB46310F1041EAE445D7362E6345E06CB86
                                                                                                    Function 04D96769 Relevance: .0, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000003.2315032140.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_3_4d90000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: aa249ac39aa631542c490f2dad1b308de6ba7112697fd9711fa26a6eea8d3cae
                                                                                                    • Instruction ID: 84dacc942258dbe94a93664ce6ad9e14351871c84c43032dfb7a294dab8f8916
                                                                                                    • Opcode Fuzzy Hash: aa249ac39aa631542c490f2dad1b308de6ba7112697fd9711fa26a6eea8d3cae
                                                                                                    • Instruction Fuzzy Hash: F3017839B01506EBDF10DF68C69066DF3E6FB88225BA0863AC0169B744DB32EC45CB80
                                                                                                    Function 04D94553 Relevance: .0, Instructions: 36COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000003.2315032140.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_3_4d90000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 684fe987f04960b6f8e2116a0e99b5c1b4545eceedb5f7394163ac75e534580d
                                                                                                    • Instruction ID: b4e3b3b6f51b70f4a1815b13ae5e64cac96c63b5e9cf8dd2a777f99bf59e69ac
                                                                                                    • Opcode Fuzzy Hash: 684fe987f04960b6f8e2116a0e99b5c1b4545eceedb5f7394163ac75e534580d
                                                                                                    • Instruction Fuzzy Hash: 81F0E2322086455FE716AB69A95545E7BE5EBC632830080ADE60DEB292DE20BD068399
                                                                                                    Function 04D967F0 Relevance: .0, Instructions: 36COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000003.2315032140.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_3_4d90000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 25ece3bacf3a4d6e143b742ad186099f72c32c2a4602f5ca03dfd0dda8d88f44
                                                                                                    • Instruction ID: 57ceab298bb02a94bb406dd55faf2994d4f9324096df0de7fb6df2ca39706007
                                                                                                    • Opcode Fuzzy Hash: 25ece3bacf3a4d6e143b742ad186099f72c32c2a4602f5ca03dfd0dda8d88f44
                                                                                                    • Instruction Fuzzy Hash: 7F01FBB0E00209EFEF44EFB9E5915ADBBF5EF88308B1085A9D404A7351EA30BE05CB50
                                                                                                    Function 04D946A0 Relevance: .0, Instructions: 34COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000003.2315032140.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_3_4d90000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1ff54f318fe504534caa2b9257276fe41247f1d5c976efdcbb259c16740ef1aa
                                                                                                    • Instruction ID: 7d68b100ef485a28d6252bffc6d66e6ee366f2fdac11db1dccff3b33b2ad31d7
                                                                                                    • Opcode Fuzzy Hash: 1ff54f318fe504534caa2b9257276fe41247f1d5c976efdcbb259c16740ef1aa
                                                                                                    • Instruction Fuzzy Hash: 59E022F2B082449FDB109BA9A8080D8BBDDDBDA71130100A6F50AC7332EE249D03C792
                                                                                                    Function 04D9C4C9 Relevance: .0, Instructions: 33COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000003.2315032140.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_3_4d90000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e2469b8908fa0fb903c6382891d358faa82198339e287bd3c684e40478df64fc
                                                                                                    • Instruction ID: edd2e838fb1044d97b21a511773bedea876b9cc55e8e2ee89251b297fe6c6096
                                                                                                    • Opcode Fuzzy Hash: e2469b8908fa0fb903c6382891d358faa82198339e287bd3c684e40478df64fc
                                                                                                    • Instruction Fuzzy Hash: 4CF05C323143019FC7729B2488586AF7BF5EFC1B40B044A6ED489CB045EE61FE0583A0
                                                                                                    Function 04D945B8 Relevance: .0, Instructions: 33COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000003.2315032140.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_3_4d90000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 98a6c014b0818eeeb6c6159b33ea6d88cd2fd7ec32ccfc78e533672ab9e86555
                                                                                                    • Instruction ID: a56c16e8ae9a69f9d553bcd5bbf84a8c0337829e9305acaafc97ad770867bf1f
                                                                                                    • Opcode Fuzzy Hash: 98a6c014b0818eeeb6c6159b33ea6d88cd2fd7ec32ccfc78e533672ab9e86555
                                                                                                    • Instruction Fuzzy Hash: 14F08230308242CFEB149B7DE85496E7BE6EFC930430985AEE149CB666DB21FC029B51
                                                                                                    Function 04D9C688 Relevance: .0, Instructions: 33COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000003.2315032140.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_3_4d90000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dfdd35f01cd2df133ac29aab661e935fd2138ab5fbb374b79204ad27db9daedc
                                                                                                    • Instruction ID: 06e458352a49c160d13e2157ad178dbedec085e8d00c821f426107ab8bcdaef4
                                                                                                    • Opcode Fuzzy Hash: dfdd35f01cd2df133ac29aab661e935fd2138ab5fbb374b79204ad27db9daedc
                                                                                                    • Instruction Fuzzy Hash: 96F02B367102168FDB08DA7AD804466B7DABFC8AA430495F5DA09C7320EE71EC02C7C0
                                                                                                    Function 04D94560 Relevance: .0, Instructions: 30COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000003.2315032140.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_3_4d90000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5d876812856629b021bb6e115d7fed7b02fb8c8d8ff5c15c33d52575b890ddf9
                                                                                                    • Instruction ID: 302d12683cf6a66936d82cd82922721b9e55c67d118cf641557eaa8c7ad3b7a7
                                                                                                    • Opcode Fuzzy Hash: 5d876812856629b021bb6e115d7fed7b02fb8c8d8ff5c15c33d52575b890ddf9
                                                                                                    • Instruction Fuzzy Hash: EEE022323006011BBB16ABAEE91445EBAD6EBC5368340C47CE20DEB390DF20FC0643D8
                                                                                                    Function 04D96047 Relevance: .0, Instructions: 28COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000003.2315032140.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_3_4d90000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8a295b1038cbfb28ebd511850f90d55ddbf40d5d5ed605f5a50fd20291a7fc05
                                                                                                    • Instruction ID: 9644d0c8cf7d87b0b25857988ac454d48501d3b3bce4e89e1ca41a94114a57df
                                                                                                    • Opcode Fuzzy Hash: 8a295b1038cbfb28ebd511850f90d55ddbf40d5d5ed605f5a50fd20291a7fc05
                                                                                                    • Instruction Fuzzy Hash: 56F0E232204BA0CBC3209F19E40828BBBF0FF80709B04481DD0CA47A61DBF5B849C781
                                                                                                    Function 04D9C678 Relevance: .0, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000003.2315032140.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_3_4d90000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f72f88f8daf6f33024e0233fe92b04c1e29e8de200942c4784692c12532be7dc
                                                                                                    • Instruction ID: ae4891c3db76af58d28b04f1def3d72a4031aa3923b82f7210054ca6739b1f95
                                                                                                    • Opcode Fuzzy Hash: f72f88f8daf6f33024e0233fe92b04c1e29e8de200942c4784692c12532be7dc
                                                                                                    • Instruction Fuzzy Hash: 93E026322092028BC7065A72D488092BBA6EF85A5030586A1CD04CB221DE32EC83C380
                                                                                                    Function 04D9C1D0 Relevance: .0, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000003.2315032140.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_3_4d90000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a8e2bbeedff10c64adf311728e33b60a724779a06bf2a9c9f4647e1895642c0d
                                                                                                    • Instruction ID: 370702f90d990ec3dab7c639bb987e6f7a3e6ec6dd8a0bdda55086acbdd1d7f5
                                                                                                    • Opcode Fuzzy Hash: a8e2bbeedff10c64adf311728e33b60a724779a06bf2a9c9f4647e1895642c0d
                                                                                                    • Instruction Fuzzy Hash: 3FE068302053448FD3206B59E41452E7FE9FFC6358705045EF886C7790CE367D448BA5
                                                                                                    Function 04D946D8 Relevance: .0, Instructions: 19COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000003.2315032140.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_3_4d90000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d57aa8f79d65009d9d6b0dc5a9b1fae00b4de3b25ea881637e70e8eec1c0758f
                                                                                                    • Instruction ID: 46f07b4afa31785225e22d621ee3eec8f5b6c6a2c835c2f09195cfde91e1ceca
                                                                                                    • Opcode Fuzzy Hash: d57aa8f79d65009d9d6b0dc5a9b1fae00b4de3b25ea881637e70e8eec1c0758f
                                                                                                    • Instruction Fuzzy Hash: E1E0B674E0420CAFCB54EFE9D45459DBBF5EF88300F0081AAE809E7350EA345A048F81
                                                                                                    Function 04D9858F Relevance: .0, Instructions: 11COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000003.2315032140.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_3_4d90000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fbd2f794211ffcfad0141aaaef0a5f481eb0720b5c1f435fb6a9eeae521dd899
                                                                                                    • Instruction ID: 2d1e55b2d2a26514cf9eb55835dd117a581cd53bf2cd682f6c392ef2bc364a0e
                                                                                                    • Opcode Fuzzy Hash: fbd2f794211ffcfad0141aaaef0a5f481eb0720b5c1f435fb6a9eeae521dd899
                                                                                                    • Instruction Fuzzy Hash: 61C012B280D6C45FDB4286E05C599DE7F709B6B741F05404AE54164193D0940C05D737
                                                                                                    Function 04D946B0 Relevance: .0, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000003.2315032140.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_3_4d90000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4c4ba08dd8e97675113ddee3e08831ee685a8237bd3ce6cb0bacd108f7afcf05
                                                                                                    • Instruction ID: d026db80ad81af12ce8d298624bb5ba28dfbe94bbacfe7daab8eb599a26d9908
                                                                                                    • Opcode Fuzzy Hash: 4c4ba08dd8e97675113ddee3e08831ee685a8237bd3ce6cb0bacd108f7afcf05
                                                                                                    • Instruction Fuzzy Hash: 9BB0927090530CAF9620DA99980196AB7ACDA4AA10F0001D9E90887320DA76AD1056D1
                                                                                                    Function 04D9044F Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000003.2315032140.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_3_4d90000_rundll32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 25beaec59c4b2bfe751a3a3aa9d7ec08c68ca6e7aaba73c48bbf8d57bc6b6d7d
                                                                                                    • Instruction ID: c03e9916105feebfc4069e09ce2e40f697692f45f442b72cd0dfd1d11584b4d2
                                                                                                    • Opcode Fuzzy Hash: 25beaec59c4b2bfe751a3a3aa9d7ec08c68ca6e7aaba73c48bbf8d57bc6b6d7d
                                                                                                    • Instruction Fuzzy Hash: DEA022FBA00A00E2E20F000800800FF03C0F3B3308BCC8002C2888A000B222A8B3E0A2